2 * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 1999-2003 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
18 /* $Id: update.c,v 1.186.16.7 2011/11/03 02:55:34 each Exp $ */
22 #include <isc/netaddr.h>
23 #include <isc/print.h>
24 #include <isc/serial.h>
25 #include <isc/stats.h>
26 #include <isc/string.h>
27 #include <isc/taskpool.h>
31 #include <dns/dbiterator.h>
33 #include <dns/dnssec.h>
34 #include <dns/events.h>
35 #include <dns/fixedname.h>
36 #include <dns/journal.h>
37 #include <dns/keyvalues.h>
38 #include <dns/message.h>
40 #include <dns/nsec3.h>
41 #include <dns/private.h>
42 #include <dns/rdataclass.h>
43 #include <dns/rdataset.h>
44 #include <dns/rdatasetiter.h>
45 #include <dns/rdatastruct.h>
46 #include <dns/rdatatype.h>
54 #include <named/client.h>
55 #include <named/log.h>
56 #include <named/server.h>
57 #include <named/update.h>
61 * This module implements dynamic update as in RFC2136.
66 * - document strict minimality
69 /**************************************************************************/
72 * Log level for tracing dynamic update protocol requests.
74 #define LOGLEVEL_PROTOCOL ISC_LOG_INFO
77 * Log level for low-level debug tracing.
79 #define LOGLEVEL_DEBUG ISC_LOG_DEBUG(8)
82 * Check an operation for failure. These macros all assume that
83 * the function using them has a 'result' variable and a 'failure'
88 if (result != ISC_R_SUCCESS) goto failure; \
92 * Fail unconditionally with result 'code', which must not
93 * be ISC_R_SUCCESS. The reason for failure presumably has
94 * been logged already.
96 * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
97 * from complaining about "end-of-loop code not reached".
103 if (result != ISC_R_SUCCESS) goto failure; \
107 * Fail unconditionally and log as a client error.
108 * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
109 * from complaining about "end-of-loop code not reached".
111 #define FAILC(code, msg) \
113 const char *_what = "failed"; \
116 case DNS_R_NXDOMAIN: \
117 case DNS_R_YXDOMAIN: \
118 case DNS_R_YXRRSET: \
119 case DNS_R_NXRRSET: \
120 _what = "unsuccessful"; \
122 update_log(client, zone, LOGLEVEL_PROTOCOL, \
123 "update %s: %s (%s)", _what, \
124 msg, isc_result_totext(result)); \
125 if (result != ISC_R_SUCCESS) goto failure; \
127 #define PREREQFAILC(code, msg) \
129 inc_stats(zone, dns_nsstatscounter_updatebadprereq); \
133 #define FAILN(code, name, msg) \
135 const char *_what = "failed"; \
138 case DNS_R_NXDOMAIN: \
139 case DNS_R_YXDOMAIN: \
140 case DNS_R_YXRRSET: \
141 case DNS_R_NXRRSET: \
142 _what = "unsuccessful"; \
144 if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) { \
145 char _nbuf[DNS_NAME_FORMATSIZE]; \
146 dns_name_format(name, _nbuf, sizeof(_nbuf)); \
147 update_log(client, zone, LOGLEVEL_PROTOCOL, \
148 "update %s: %s: %s (%s)", _what, _nbuf, \
149 msg, isc_result_totext(result)); \
151 if (result != ISC_R_SUCCESS) goto failure; \
153 #define PREREQFAILN(code, name, msg) \
155 inc_stats(zone, dns_nsstatscounter_updatebadprereq); \
156 FAILN(code, name, msg); \
159 #define FAILNT(code, name, type, msg) \
161 const char *_what = "failed"; \
164 case DNS_R_NXDOMAIN: \
165 case DNS_R_YXDOMAIN: \
166 case DNS_R_YXRRSET: \
167 case DNS_R_NXRRSET: \
168 _what = "unsuccessful"; \
170 if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) { \
171 char _nbuf[DNS_NAME_FORMATSIZE]; \
172 char _tbuf[DNS_RDATATYPE_FORMATSIZE]; \
173 dns_name_format(name, _nbuf, sizeof(_nbuf)); \
174 dns_rdatatype_format(type, _tbuf, sizeof(_tbuf)); \
175 update_log(client, zone, LOGLEVEL_PROTOCOL, \
176 "update %s: %s/%s: %s (%s)", \
177 _what, _nbuf, _tbuf, msg, \
178 isc_result_totext(result)); \
180 if (result != ISC_R_SUCCESS) goto failure; \
182 #define PREREQFAILNT(code, name, type, msg) \
184 inc_stats(zone, dns_nsstatscounter_updatebadprereq); \
185 FAILNT(code, name, type, msg); \
189 * Fail unconditionally and log as a server error.
190 * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
191 * from complaining about "end-of-loop code not reached".
193 #define FAILS(code, msg) \
196 update_log(client, zone, LOGLEVEL_PROTOCOL, \
198 msg, isc_result_totext(result)); \
199 if (result != ISC_R_SUCCESS) goto failure; \
203 * Return TRUE if NS_CLIENTATTR_TCP is set in the attributes other FALSE.
205 #define TCPCLIENT(client) (((client)->attributes & NS_CLIENTATTR_TCP) != 0)
207 /**************************************************************************/
209 typedef struct rr rr_t;
212 /* dns_name_t name; */
217 typedef struct update_event update_event_t;
219 struct update_event {
220 ISC_EVENT_COMMON(update_event_t);
223 dns_message_t *answer;
226 /**************************************************************************/
228 * Forward declarations.
231 static void update_action(isc_task_t *task, isc_event_t *event);
232 static void updatedone_action(isc_task_t *task, isc_event_t *event);
233 static isc_result_t send_forward_event(ns_client_t *client, dns_zone_t *zone);
234 static void forward_done(isc_task_t *task, isc_event_t *event);
236 /**************************************************************************/
239 update_log(ns_client_t *client, dns_zone_t *zone,
240 int level, const char *fmt, ...) ISC_FORMAT_PRINTF(4, 5);
243 update_log(ns_client_t *client, dns_zone_t *zone,
244 int level, const char *fmt, ...)
248 char namebuf[DNS_NAME_FORMATSIZE];
249 char classbuf[DNS_RDATACLASS_FORMATSIZE];
251 if (client == NULL || zone == NULL)
254 if (isc_log_wouldlog(ns_g_lctx, level) == ISC_FALSE)
257 dns_name_format(dns_zone_getorigin(zone), namebuf,
259 dns_rdataclass_format(dns_zone_getclass(zone), classbuf,
263 vsnprintf(message, sizeof(message), fmt, ap);
266 ns_client_log(client, NS_LOGCATEGORY_UPDATE, NS_LOGMODULE_UPDATE,
267 level, "updating zone '%s/%s': %s",
268 namebuf, classbuf, message);
272 * Increment updated-related statistics counters.
275 inc_stats(dns_zone_t *zone, isc_statscounter_t counter) {
276 isc_stats_increment(ns_g_server->nsstats, counter);
279 isc_stats_t *zonestats = dns_zone_getrequeststats(zone);
280 if (zonestats != NULL)
281 isc_stats_increment(zonestats, counter);
286 * Check if we could have queried for the contents of this zone or
287 * if the zone is potentially updateable.
288 * If the zone can potentially be updated and the check failed then
289 * log a error otherwise we log a informational message.
292 checkqueryacl(ns_client_t *client, dns_acl_t *queryacl, dns_name_t *zonename,
293 dns_acl_t *updateacl, dns_ssutable_t *ssutable)
295 char namebuf[DNS_NAME_FORMATSIZE];
296 char classbuf[DNS_RDATACLASS_FORMATSIZE];
300 result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE);
301 if (result != ISC_R_SUCCESS) {
302 dns_name_format(zonename, namebuf, sizeof(namebuf));
303 dns_rdataclass_format(client->view->rdclass, classbuf,
306 level = (updateacl == NULL && ssutable == NULL) ?
307 ISC_LOG_INFO : ISC_LOG_ERROR;
309 ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
310 NS_LOGMODULE_UPDATE, level,
311 "update '%s/%s' denied due to allow-query",
313 } else if (updateacl == NULL && ssutable == NULL) {
314 dns_name_format(zonename, namebuf, sizeof(namebuf));
315 dns_rdataclass_format(client->view->rdclass, classbuf,
318 result = DNS_R_REFUSED;
319 ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
320 NS_LOGMODULE_UPDATE, ISC_LOG_INFO,
321 "update '%s/%s' denied", namebuf, classbuf);
327 * Override the default acl logging when checking whether a client
328 * can update the zone or whether we can forward the request to the
329 * master based on IP address.
331 * 'message' contains the type of operation that is being attempted.
332 * 'slave' indicates if this is a slave zone. If 'acl' is NULL then
334 * If the zone has no access controls configured ('acl' == NULL &&
335 * 'has_ssutable == ISC_FALS) log the attempt at info, otherwise
338 * If the request was signed log that we received it.
341 checkupdateacl(ns_client_t *client, dns_acl_t *acl, const char *message,
342 dns_name_t *zonename, isc_boolean_t slave,
343 isc_boolean_t has_ssutable)
345 char namebuf[DNS_NAME_FORMATSIZE];
346 char classbuf[DNS_RDATACLASS_FORMATSIZE];
347 int level = ISC_LOG_ERROR;
348 const char *msg = "denied";
351 if (slave && acl == NULL) {
352 result = DNS_R_NOTIMP;
353 level = ISC_LOG_DEBUG(3);
356 result = ns_client_checkaclsilent(client, NULL, acl, ISC_FALSE);
357 if (result == ISC_R_SUCCESS) {
358 level = ISC_LOG_DEBUG(3);
360 } else if (acl == NULL && !has_ssutable) {
361 level = ISC_LOG_INFO;
365 if (client->signer != NULL) {
366 dns_name_format(client->signer, namebuf, sizeof(namebuf));
367 ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
368 NS_LOGMODULE_UPDATE, ISC_LOG_INFO,
369 "signer \"%s\" %s", namebuf, msg);
372 dns_name_format(zonename, namebuf, sizeof(namebuf));
373 dns_rdataclass_format(client->view->rdclass, classbuf,
376 ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
377 NS_LOGMODULE_UPDATE, level, "%s '%s/%s' %s",
378 message, namebuf, classbuf, msg);
383 * Update a single RR in version 'ver' of 'db' and log the
387 * \li '*tuple' == NULL. Either the tuple is freed, or its
388 * ownership has been transferred to the diff.
391 do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
394 dns_diff_t temp_diff;
398 * Create a singleton diff.
400 dns_diff_init(diff->mctx, &temp_diff);
401 temp_diff.resign = diff->resign;
402 ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
405 * Apply it to the database.
407 result = dns_diff_apply(&temp_diff, db, ver);
408 ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link);
409 if (result != ISC_R_SUCCESS) {
410 dns_difftuple_free(tuple);
415 * Merge it into the current pending journal entry.
417 dns_diff_appendminimal(diff, tuple);
420 * Do not clear temp_diff.
422 return (ISC_R_SUCCESS);
426 * Perform the updates in 'updates' in version 'ver' of 'db' and log the
430 * \li 'updates' is empty.
433 do_diff(dns_diff_t *updates, dns_db_t *db, dns_dbversion_t *ver,
437 while (! ISC_LIST_EMPTY(updates->tuples)) {
438 dns_difftuple_t *t = ISC_LIST_HEAD(updates->tuples);
439 ISC_LIST_UNLINK(updates->tuples, t, link);
440 CHECK(do_one_tuple(&t, db, ver, diff));
442 return (ISC_R_SUCCESS);
445 dns_diff_clear(diff);
450 update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
451 dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
454 dns_difftuple_t *tuple = NULL;
456 result = dns_difftuple_create(diff->mctx, op,
457 name, ttl, rdata, &tuple);
458 if (result != ISC_R_SUCCESS)
460 return (do_one_tuple(&tuple, db, ver, diff));
463 /**************************************************************************/
465 * Callback-style iteration over rdatasets and rdatas.
467 * foreach_rrset() can be used to iterate over the RRsets
468 * of a name and call a callback function with each
469 * one. Similarly, foreach_rr() can be used to iterate
470 * over the individual RRs at name, optionally restricted
471 * to RRs of a given type.
473 * The callback functions are called "actions" and take
474 * two arguments: a void pointer for passing arbitrary
475 * context information, and a pointer to the current RRset
476 * or RR. By convention, their names end in "_action".
480 * XXXRTH We might want to make this public somewhere in libdns.
484 * Function type for foreach_rrset() iterator actions.
486 typedef isc_result_t rrset_func(void *data, dns_rdataset_t *rrset);
489 * Function type for foreach_rr() iterator actions.
491 typedef isc_result_t rr_func(void *data, rr_t *rr);
494 * Internal context struct for foreach_node_rr().
498 void * rr_action_data;
499 } foreach_node_rr_ctx_t;
502 * Internal helper function for foreach_node_rr().
505 foreach_node_rr_action(void *data, dns_rdataset_t *rdataset) {
507 foreach_node_rr_ctx_t *ctx = data;
508 for (result = dns_rdataset_first(rdataset);
509 result == ISC_R_SUCCESS;
510 result = dns_rdataset_next(rdataset))
512 rr_t rr = { 0, DNS_RDATA_INIT };
514 dns_rdataset_current(rdataset, &rr.rdata);
515 rr.ttl = rdataset->ttl;
516 result = (*ctx->rr_action)(ctx->rr_action_data, &rr);
517 if (result != ISC_R_SUCCESS)
520 if (result != ISC_R_NOMORE)
522 return (ISC_R_SUCCESS);
526 * For each rdataset of 'name' in 'ver' of 'db', call 'action'
527 * with the rdataset and 'action_data' as arguments. If the name
528 * does not exist, do nothing.
530 * If 'action' returns an error, abort iteration and return the error.
533 foreach_rrset(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
534 rrset_func *action, void *action_data)
538 dns_rdatasetiter_t *iter;
541 result = dns_db_findnode(db, name, ISC_FALSE, &node);
542 if (result == ISC_R_NOTFOUND)
543 return (ISC_R_SUCCESS);
544 if (result != ISC_R_SUCCESS)
548 result = dns_db_allrdatasets(db, node, ver,
549 (isc_stdtime_t) 0, &iter);
550 if (result != ISC_R_SUCCESS)
553 for (result = dns_rdatasetiter_first(iter);
554 result == ISC_R_SUCCESS;
555 result = dns_rdatasetiter_next(iter))
557 dns_rdataset_t rdataset;
559 dns_rdataset_init(&rdataset);
560 dns_rdatasetiter_current(iter, &rdataset);
562 result = (*action)(action_data, &rdataset);
564 dns_rdataset_disassociate(&rdataset);
565 if (result != ISC_R_SUCCESS)
566 goto cleanup_iterator;
568 if (result == ISC_R_NOMORE)
569 result = ISC_R_SUCCESS;
572 dns_rdatasetiter_destroy(&iter);
575 dns_db_detachnode(db, &node);
581 * For each RR of 'name' in 'ver' of 'db', call 'action'
582 * with the RR and 'action_data' as arguments. If the name
583 * does not exist, do nothing.
585 * If 'action' returns an error, abort iteration
586 * and return the error.
589 foreach_node_rr(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
590 rr_func *rr_action, void *rr_action_data)
592 foreach_node_rr_ctx_t ctx;
593 ctx.rr_action = rr_action;
594 ctx.rr_action_data = rr_action_data;
595 return (foreach_rrset(db, ver, name,
596 foreach_node_rr_action, &ctx));
601 * For each of the RRs specified by 'db', 'ver', 'name', 'type',
602 * (which can be dns_rdatatype_any to match any type), and 'covers', call
603 * 'action' with the RR and 'action_data' as arguments. If the name
604 * does not exist, or if no RRset of the given type exists at the name,
607 * If 'action' returns an error, abort iteration and return the error.
610 foreach_rr(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
611 dns_rdatatype_t type, dns_rdatatype_t covers, rr_func *rr_action,
612 void *rr_action_data)
617 dns_rdataset_t rdataset;
619 if (type == dns_rdatatype_any)
620 return (foreach_node_rr(db, ver, name,
621 rr_action, rr_action_data));
624 if (type == dns_rdatatype_nsec3 ||
625 (type == dns_rdatatype_rrsig && covers == dns_rdatatype_nsec3))
626 result = dns_db_findnsec3node(db, name, ISC_FALSE, &node);
628 result = dns_db_findnode(db, name, ISC_FALSE, &node);
629 if (result == ISC_R_NOTFOUND)
630 return (ISC_R_SUCCESS);
631 if (result != ISC_R_SUCCESS)
634 dns_rdataset_init(&rdataset);
635 result = dns_db_findrdataset(db, node, ver, type, covers,
636 (isc_stdtime_t) 0, &rdataset, NULL);
637 if (result == ISC_R_NOTFOUND) {
638 result = ISC_R_SUCCESS;
641 if (result != ISC_R_SUCCESS)
644 for (result = dns_rdataset_first(&rdataset);
645 result == ISC_R_SUCCESS;
646 result = dns_rdataset_next(&rdataset))
648 rr_t rr = { 0, DNS_RDATA_INIT };
649 dns_rdataset_current(&rdataset, &rr.rdata);
650 rr.ttl = rdataset.ttl;
651 result = (*rr_action)(rr_action_data, &rr);
652 if (result != ISC_R_SUCCESS)
653 goto cleanup_rdataset;
655 if (result != ISC_R_NOMORE)
656 goto cleanup_rdataset;
657 result = ISC_R_SUCCESS;
660 dns_rdataset_disassociate(&rdataset);
662 dns_db_detachnode(db, &node);
667 /**************************************************************************/
669 * Various tests on the database contents (for prerequisites, etc).
673 * Function type for predicate functions that compare a database RR 'db_rr'
674 * against an update RR 'update_rr'.
676 typedef isc_boolean_t rr_predicate(dns_rdata_t *update_rr, dns_rdata_t *db_rr);
679 * Helper function for rrset_exists().
682 rrset_exists_action(void *data, rr_t *rr) {
685 return (ISC_R_EXISTS);
689 * Utility macro for RR existence checking functions.
691 * If the variable 'result' has the value ISC_R_EXISTS or
692 * ISC_R_SUCCESS, set *exists to ISC_TRUE or ISC_FALSE,
693 * respectively, and return success.
695 * If 'result' has any other value, there was a failure.
696 * Return the failure result code and do not set *exists.
698 * This would be more readable as "do { if ... } while(0)",
699 * but that form generates tons of warnings on Solaris 2.6.
701 #define RETURN_EXISTENCE_FLAG \
702 return ((result == ISC_R_EXISTS) ? \
703 (*exists = ISC_TRUE, ISC_R_SUCCESS) : \
704 ((result == ISC_R_SUCCESS) ? \
705 (*exists = ISC_FALSE, ISC_R_SUCCESS) : \
709 * Set '*exists' to true iff an rrset of the given type exists,
710 * to false otherwise.
713 rrset_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
714 dns_rdatatype_t type, dns_rdatatype_t covers,
715 isc_boolean_t *exists)
718 result = foreach_rr(db, ver, name, type, covers,
719 rrset_exists_action, NULL);
720 RETURN_EXISTENCE_FLAG;
724 * Set '*visible' to true if the RRset exists and is part of the
725 * visible zone. Otherwise '*visible' is set to false unless a
729 rrset_visible(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
730 dns_rdatatype_t type, isc_boolean_t *visible)
733 dns_fixedname_t fixed;
735 dns_fixedname_init(&fixed);
736 result = dns_db_find(db, name, ver, type, DNS_DBFIND_NOWILD,
737 (isc_stdtime_t) 0, NULL,
738 dns_fixedname_name(&fixed), NULL, NULL);
744 * Glue, obscured, deleted or replaced records.
746 case DNS_R_DELEGATION:
751 case DNS_R_EMPTYNAME:
752 case DNS_R_COVERINGNSEC:
753 *visible = ISC_FALSE;
754 result = ISC_R_SUCCESS;
763 * Helper function for cname_incompatible_rrset_exists.
766 cname_compatibility_action(void *data, dns_rdataset_t *rrset) {
768 if (rrset->type != dns_rdatatype_cname &&
769 ! dns_rdatatype_isdnssec(rrset->type))
770 return (ISC_R_EXISTS);
771 return (ISC_R_SUCCESS);
775 * Check whether there is an rrset incompatible with adding a CNAME RR,
776 * i.e., anything but another CNAME (which can be replaced) or a
777 * DNSSEC RR (which can coexist).
779 * If such an incompatible rrset exists, set '*exists' to ISC_TRUE.
780 * Otherwise, set it to ISC_FALSE.
783 cname_incompatible_rrset_exists(dns_db_t *db, dns_dbversion_t *ver,
784 dns_name_t *name, isc_boolean_t *exists) {
786 result = foreach_rrset(db, ver, name,
787 cname_compatibility_action, NULL);
788 RETURN_EXISTENCE_FLAG;
792 * Helper function for rr_count().
795 count_rr_action(void *data, rr_t *rr) {
799 return (ISC_R_SUCCESS);
803 * Count the number of RRs of 'type' belonging to 'name' in 'ver' of 'db'.
806 rr_count(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
807 dns_rdatatype_t type, dns_rdatatype_t covers, int *countp)
810 return (foreach_rr(db, ver, name, type, covers,
811 count_rr_action, countp));
815 * Context struct and helper function for name_exists().
819 name_exists_action(void *data, dns_rdataset_t *rrset) {
822 return (ISC_R_EXISTS);
826 * Set '*exists' to true iff the given name exists, to false otherwise.
829 name_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
830 isc_boolean_t *exists)
833 result = foreach_rrset(db, ver, name,
834 name_exists_action, NULL);
835 RETURN_EXISTENCE_FLAG;
839 * 'ssu_check_t' is used to pass the arguments to
840 * dns_ssutable_checkrules() to the callback function
844 /* The ownername of the record to be updated. */
847 /* The signature's name if the request was signed. */
850 /* The address of the client if the request was received via TCP. */
851 isc_netaddr_t *tcpaddr;
853 /* The ssu table to check against. */
854 dns_ssutable_t *table;
856 /* the key used for TKEY requests */
861 ssu_checkrule(void *data, dns_rdataset_t *rrset) {
862 ssu_check_t *ssuinfo = data;
863 isc_boolean_t result;
866 * If we're deleting all records, it's ok to delete RRSIG and NSEC even
867 * if we're normally not allowed to.
869 if (rrset->type == dns_rdatatype_rrsig ||
870 rrset->type == dns_rdatatype_nsec)
871 return (ISC_R_SUCCESS);
872 result = dns_ssutable_checkrules(ssuinfo->table, ssuinfo->signer,
873 ssuinfo->name, ssuinfo->tcpaddr,
874 rrset->type, ssuinfo->key);
875 return (result == ISC_TRUE ? ISC_R_SUCCESS : ISC_R_FAILURE);
879 ssu_checkall(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
880 dns_ssutable_t *ssutable, dns_name_t *signer,
881 isc_netaddr_t *tcpaddr, dst_key_t *key)
887 ssuinfo.table = ssutable;
888 ssuinfo.signer = signer;
889 ssuinfo.tcpaddr = tcpaddr;
891 result = foreach_rrset(db, ver, name, ssu_checkrule, &ssuinfo);
892 return (ISC_TF(result == ISC_R_SUCCESS));
895 /**************************************************************************/
897 * Checking of "RRset exists (value dependent)" prerequisites.
899 * In the RFC2136 section 3.2.5, this is the pseudocode involving
900 * a variable called "temp", a mapping of <name, type> tuples to rrsets.
902 * Here, we represent the "temp" data structure as (non-minimal) "dns_diff_t"
903 * where each tuple has op==DNS_DIFFOP_EXISTS.
908 * Append a tuple asserting the existence of the RR with
909 * 'name' and 'rdata' to 'diff'.
912 temp_append(dns_diff_t *diff, dns_name_t *name, dns_rdata_t *rdata) {
914 dns_difftuple_t *tuple = NULL;
916 REQUIRE(DNS_DIFF_VALID(diff));
917 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_EXISTS,
918 name, 0, rdata, &tuple));
919 ISC_LIST_APPEND(diff->tuples, tuple, link);
925 * Compare two rdatasets represented as sorted lists of tuples.
926 * All list elements must have the same owner name and type.
927 * Return ISC_R_SUCCESS if the rdatasets are equal, rcode(dns_rcode_nxrrset)
931 temp_check_rrset(dns_difftuple_t *a, dns_difftuple_t *b) {
933 if (a == NULL || b == NULL)
935 INSIST(a->op == DNS_DIFFOP_EXISTS &&
936 b->op == DNS_DIFFOP_EXISTS);
937 INSIST(a->rdata.type == b->rdata.type);
938 INSIST(dns_name_equal(&a->name, &b->name));
939 if (dns_rdata_casecompare(&a->rdata, &b->rdata) != 0)
940 return (DNS_R_NXRRSET);
941 a = ISC_LIST_NEXT(a, link);
942 b = ISC_LIST_NEXT(b, link);
944 if (a != NULL || b != NULL)
945 return (DNS_R_NXRRSET);
946 return (ISC_R_SUCCESS);
950 * A comparison function defining the sorting order for the entries
951 * in the "temp" data structure. The major sort key is the owner name,
952 * followed by the type and rdata.
955 temp_order(const void *av, const void *bv) {
956 dns_difftuple_t const * const *ap = av;
957 dns_difftuple_t const * const *bp = bv;
958 dns_difftuple_t const *a = *ap;
959 dns_difftuple_t const *b = *bp;
961 r = dns_name_compare(&a->name, &b->name);
964 r = (b->rdata.type - a->rdata.type);
967 r = dns_rdata_casecompare(&a->rdata, &b->rdata);
972 * Check the "RRset exists (value dependent)" prerequisite information
973 * in 'temp' against the contents of the database 'db'.
975 * Return ISC_R_SUCCESS if the prerequisites are satisfied,
976 * rcode(dns_rcode_nxrrset) if not.
978 * 'temp' must be pre-sorted.
982 temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db,
983 dns_dbversion_t *ver, dns_name_t *tmpname, dns_rdatatype_t *typep)
991 dns_diff_init(mctx, &trash);
994 * For each name and type in the prerequisites,
995 * construct a sorted rdata list of the corresponding
996 * database contents, and compare the lists.
998 t = ISC_LIST_HEAD(temp->tuples);
1001 (void)dns_name_copy(name, tmpname, NULL);
1002 *typep = t->rdata.type;
1004 /* A new unique name begins here. */
1006 result = dns_db_findnode(db, name, ISC_FALSE, &node);
1007 if (result == ISC_R_NOTFOUND) {
1008 dns_diff_clear(&trash);
1009 return (DNS_R_NXRRSET);
1011 if (result != ISC_R_SUCCESS) {
1012 dns_diff_clear(&trash);
1016 /* A new unique type begins here. */
1017 while (t != NULL && dns_name_equal(&t->name, name)) {
1018 dns_rdatatype_t type, covers;
1019 dns_rdataset_t rdataset;
1020 dns_diff_t d_rrs; /* Database RRs with
1021 this name and type */
1022 dns_diff_t u_rrs; /* Update RRs with
1023 this name and type */
1025 *typep = type = t->rdata.type;
1026 if (type == dns_rdatatype_rrsig ||
1027 type == dns_rdatatype_sig)
1028 covers = dns_rdata_covers(&t->rdata);
1029 else if (type == dns_rdatatype_any) {
1030 dns_db_detachnode(db, &node);
1031 dns_diff_clear(&trash);
1032 return (DNS_R_NXRRSET);
1037 * Collect all database RRs for this name and type
1038 * onto d_rrs and sort them.
1040 dns_rdataset_init(&rdataset);
1041 result = dns_db_findrdataset(db, node, ver, type,
1042 covers, (isc_stdtime_t) 0,
1044 if (result != ISC_R_SUCCESS) {
1045 dns_db_detachnode(db, &node);
1046 dns_diff_clear(&trash);
1047 return (DNS_R_NXRRSET);
1050 dns_diff_init(mctx, &d_rrs);
1051 dns_diff_init(mctx, &u_rrs);
1053 for (result = dns_rdataset_first(&rdataset);
1054 result == ISC_R_SUCCESS;
1055 result = dns_rdataset_next(&rdataset))
1057 dns_rdata_t rdata = DNS_RDATA_INIT;
1058 dns_rdataset_current(&rdataset, &rdata);
1059 result = temp_append(&d_rrs, name, &rdata);
1060 if (result != ISC_R_SUCCESS)
1063 if (result != ISC_R_NOMORE)
1065 result = dns_diff_sort(&d_rrs, temp_order);
1066 if (result != ISC_R_SUCCESS)
1070 * Collect all update RRs for this name and type
1071 * onto u_rrs. No need to sort them here -
1072 * they are already sorted.
1075 dns_name_equal(&t->name, name) &&
1076 t->rdata.type == type)
1078 dns_difftuple_t *next =
1079 ISC_LIST_NEXT(t, link);
1080 ISC_LIST_UNLINK(temp->tuples, t, link);
1081 ISC_LIST_APPEND(u_rrs.tuples, t, link);
1085 /* Compare the two sorted lists. */
1086 result = temp_check_rrset(ISC_LIST_HEAD(u_rrs.tuples),
1087 ISC_LIST_HEAD(d_rrs.tuples));
1088 if (result != ISC_R_SUCCESS)
1092 * We are done with the tuples, but we can't free
1093 * them yet because "name" still points into one
1094 * of them. Move them on a temporary list.
1096 ISC_LIST_APPENDLIST(trash.tuples, u_rrs.tuples, link);
1097 ISC_LIST_APPENDLIST(trash.tuples, d_rrs.tuples, link);
1098 dns_rdataset_disassociate(&rdataset);
1103 dns_diff_clear(&d_rrs);
1104 dns_diff_clear(&u_rrs);
1105 dns_diff_clear(&trash);
1106 dns_rdataset_disassociate(&rdataset);
1107 dns_db_detachnode(db, &node);
1111 dns_db_detachnode(db, &node);
1114 dns_diff_clear(&trash);
1115 return (ISC_R_SUCCESS);
1118 /**************************************************************************/
1120 * Conditional deletion of RRs.
1124 * Context structure for delete_if().
1128 rr_predicate *predicate;
1130 dns_dbversion_t *ver;
1133 dns_rdata_t *update_rr;
1134 } conditional_delete_ctx_t;
1137 * Predicate functions for delete_if().
1141 * Return true iff 'db_rr' is neither a SOA nor an NS RR nor
1142 * an RRSIG nor an NSEC3PARAM nor a NSEC.
1144 static isc_boolean_t
1145 type_not_soa_nor_ns_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
1147 return ((db_rr->type != dns_rdatatype_soa &&
1148 db_rr->type != dns_rdatatype_ns &&
1149 db_rr->type != dns_rdatatype_nsec3param &&
1150 db_rr->type != dns_rdatatype_rrsig &&
1151 db_rr->type != dns_rdatatype_nsec) ?
1152 ISC_TRUE : ISC_FALSE);
1156 * Return true iff 'db_rr' is neither a RRSIG nor a NSEC.
1158 static isc_boolean_t
1159 type_not_dnssec(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
1161 return ((db_rr->type != dns_rdatatype_rrsig &&
1162 db_rr->type != dns_rdatatype_nsec) ?
1163 ISC_TRUE : ISC_FALSE);
1167 * Return true always.
1169 static isc_boolean_t
1170 true_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
1177 * Return true if the record is a RRSIG.
1179 static isc_boolean_t
1180 rrsig_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
1182 return ((db_rr->type == dns_rdatatype_rrsig) ?
1183 ISC_TRUE : ISC_FALSE);
1187 * Return true iff the two RRs have identical rdata.
1189 static isc_boolean_t
1190 rr_equal_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
1192 * XXXRTH This is not a problem, but we should consider creating
1193 * dns_rdata_equal() (that used dns_name_equal()), since it
1194 * would be faster. Not a priority.
1196 return (dns_rdata_casecompare(update_rr, db_rr) == 0 ?
1197 ISC_TRUE : ISC_FALSE);
1201 * Return true iff 'update_rr' should replace 'db_rr' according
1202 * to the special RFC2136 rules for CNAME, SOA, and WKS records.
1204 * RFC2136 does not mention NSEC or DNAME, but multiple NSECs or DNAMEs
1205 * make little sense, so we replace those, too.
1207 * Additionally replace RRSIG that have been generated by the same key
1208 * for the same type. This simplifies refreshing a offline KSK by not
1209 * requiring that the old RRSIG be deleted. It also simplifies key
1210 * rollover by only requiring that the new RRSIG be added.
1212 static isc_boolean_t
1213 replaces_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
1214 dns_rdata_rrsig_t updatesig, dbsig;
1215 isc_result_t result;
1217 if (db_rr->type != update_rr->type)
1219 if (db_rr->type == dns_rdatatype_cname)
1221 if (db_rr->type == dns_rdatatype_dname)
1223 if (db_rr->type == dns_rdatatype_soa)
1225 if (db_rr->type == dns_rdatatype_nsec)
1227 if (db_rr->type == dns_rdatatype_rrsig) {
1229 * Replace existing RRSIG with the same keyid,
1230 * covered and algorithm.
1232 result = dns_rdata_tostruct(db_rr, &dbsig, NULL);
1233 RUNTIME_CHECK(result == ISC_R_SUCCESS);
1234 result = dns_rdata_tostruct(update_rr, &updatesig, NULL);
1235 RUNTIME_CHECK(result == ISC_R_SUCCESS);
1236 if (dbsig.keyid == updatesig.keyid &&
1237 dbsig.covered == updatesig.covered &&
1238 dbsig.algorithm == updatesig.algorithm)
1241 if (db_rr->type == dns_rdatatype_wks) {
1243 * Compare the address and protocol fields only. These
1244 * form the first five bytes of the RR data. Do a
1245 * raw binary comparison; unpacking the WKS RRs using
1246 * dns_rdata_tostruct() might be cleaner in some ways.
1248 INSIST(db_rr->length >= 5 && update_rr->length >= 5);
1249 return (memcmp(db_rr->data, update_rr->data, 5) == 0 ?
1250 ISC_TRUE : ISC_FALSE);
1253 if (db_rr->type == dns_rdatatype_nsec3param) {
1254 if (db_rr->length != update_rr->length)
1256 INSIST(db_rr->length >= 4 && update_rr->length >= 4);
1258 * Replace NSEC3PARAM records that only differ by the
1261 if (db_rr->data[0] == update_rr->data[0] &&
1262 memcmp(db_rr->data+2, update_rr->data+2,
1263 update_rr->length - 2) == 0)
1270 * Internal helper function for delete_if().
1273 delete_if_action(void *data, rr_t *rr) {
1274 conditional_delete_ctx_t *ctx = data;
1275 if ((*ctx->predicate)(ctx->update_rr, &rr->rdata)) {
1276 isc_result_t result;
1277 result = update_one_rr(ctx->db, ctx->ver, ctx->diff,
1278 DNS_DIFFOP_DEL, ctx->name,
1279 rr->ttl, &rr->rdata);
1282 return (ISC_R_SUCCESS);
1287 * Conditionally delete RRs. Apply 'predicate' to the RRs
1288 * specified by 'db', 'ver', 'name', and 'type' (which can
1289 * be dns_rdatatype_any to match any type). Delete those
1290 * RRs for which the predicate returns true, and log the
1291 * deletions in 'diff'.
1294 delete_if(rr_predicate *predicate, dns_db_t *db, dns_dbversion_t *ver,
1295 dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers,
1296 dns_rdata_t *update_rr, dns_diff_t *diff)
1298 conditional_delete_ctx_t ctx;
1299 ctx.predicate = predicate;
1304 ctx.update_rr = update_rr;
1305 return (foreach_rr(db, ver, name, type, covers,
1306 delete_if_action, &ctx));
1309 /**************************************************************************/
1311 * Prepare an RR for the addition of the new RR 'ctx->update_rr',
1312 * with TTL 'ctx->update_rr_ttl', to its rdataset, by deleting
1313 * the RRs if it is replaced by the new RR or has a conflicting TTL.
1314 * The necessary changes are appended to ctx->del_diff and ctx->add_diff;
1315 * we need to do all deletions before any additions so that we don't run
1316 * into transient states with conflicting TTLs.
1321 dns_dbversion_t *ver;
1324 dns_rdata_t *update_rr;
1325 dns_ttl_t update_rr_ttl;
1326 isc_boolean_t ignore_add;
1327 dns_diff_t del_diff;
1328 dns_diff_t add_diff;
1329 } add_rr_prepare_ctx_t;
1332 add_rr_prepare_action(void *data, rr_t *rr) {
1333 isc_result_t result = ISC_R_SUCCESS;
1334 add_rr_prepare_ctx_t *ctx = data;
1335 dns_difftuple_t *tuple = NULL;
1336 isc_boolean_t equal;
1339 * If the update RR is a "duplicate" of the update RR,
1340 * the update should be silently ignored.
1342 equal = ISC_TF(dns_rdata_casecompare(&rr->rdata, ctx->update_rr) == 0);
1343 if (equal && rr->ttl == ctx->update_rr_ttl) {
1344 ctx->ignore_add = ISC_TRUE;
1345 return (ISC_R_SUCCESS);
1349 * If this RR is "equal" to the update RR, it should
1350 * be deleted before the update RR is added.
1352 if (replaces_p(ctx->update_rr, &rr->rdata)) {
1353 CHECK(dns_difftuple_create(ctx->del_diff.mctx, DNS_DIFFOP_DEL,
1354 ctx->name, rr->ttl, &rr->rdata,
1356 dns_diff_append(&ctx->del_diff, &tuple);
1357 return (ISC_R_SUCCESS);
1361 * If this RR differs in TTL from the update RR,
1362 * its TTL must be adjusted.
1364 if (rr->ttl != ctx->update_rr_ttl) {
1365 CHECK(dns_difftuple_create(ctx->del_diff.mctx, DNS_DIFFOP_DEL,
1366 ctx->name, rr->ttl, &rr->rdata,
1368 dns_diff_append(&ctx->del_diff, &tuple);
1370 CHECK(dns_difftuple_create(ctx->add_diff.mctx,
1371 DNS_DIFFOP_ADD, ctx->name,
1373 &rr->rdata, &tuple));
1374 dns_diff_append(&ctx->add_diff, &tuple);
1381 /**************************************************************************/
1383 * Miscellaneous subroutines.
1387 * Extract a single update RR from 'section' of dynamic update message
1388 * 'msg', with consistency checking.
1390 * Stores the owner name, rdata, and TTL of the update RR at 'name',
1391 * 'rdata', and 'ttl', respectively.
1394 get_current_rr(dns_message_t *msg, dns_section_t section,
1395 dns_rdataclass_t zoneclass, dns_name_t **name,
1396 dns_rdata_t *rdata, dns_rdatatype_t *covers,
1397 dns_ttl_t *ttl, dns_rdataclass_t *update_class)
1399 dns_rdataset_t *rdataset;
1400 isc_result_t result;
1401 dns_message_currentname(msg, section, name);
1402 rdataset = ISC_LIST_HEAD((*name)->list);
1403 INSIST(rdataset != NULL);
1404 INSIST(ISC_LIST_NEXT(rdataset, link) == NULL);
1405 *covers = rdataset->covers;
1406 *ttl = rdataset->ttl;
1407 result = dns_rdataset_first(rdataset);
1408 INSIST(result == ISC_R_SUCCESS);
1409 dns_rdataset_current(rdataset, rdata);
1410 INSIST(dns_rdataset_next(rdataset) == ISC_R_NOMORE);
1411 *update_class = rdata->rdclass;
1412 rdata->rdclass = zoneclass;
1416 * Increment the SOA serial number of database 'db', version 'ver'.
1417 * Replace the SOA record in the database, and log the
1422 * XXXRTH Failures in this routine will be worth logging, when
1423 * we have a logging system. Failure to find the zonename
1424 * or the SOA rdataset warrant at least an UNEXPECTED_ERROR().
1428 increment_soa_serial(dns_db_t *db, dns_dbversion_t *ver,
1429 dns_diff_t *diff, isc_mem_t *mctx)
1431 dns_difftuple_t *deltuple = NULL;
1432 dns_difftuple_t *addtuple = NULL;
1433 isc_uint32_t serial;
1434 isc_result_t result;
1436 CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_DEL, &deltuple));
1437 CHECK(dns_difftuple_copy(deltuple, &addtuple));
1438 addtuple->op = DNS_DIFFOP_ADD;
1440 serial = dns_soa_getserial(&addtuple->rdata);
1443 serial = (serial + 1) & 0xFFFFFFFF;
1447 dns_soa_setserial(serial, &addtuple->rdata);
1448 CHECK(do_one_tuple(&deltuple, db, ver, diff));
1449 CHECK(do_one_tuple(&addtuple, db, ver, diff));
1450 result = ISC_R_SUCCESS;
1453 if (addtuple != NULL)
1454 dns_difftuple_free(&addtuple);
1455 if (deltuple != NULL)
1456 dns_difftuple_free(&deltuple);
1461 * Check that the new SOA record at 'update_rdata' does not
1462 * illegally cause the SOA serial number to decrease or stay
1463 * unchanged relative to the existing SOA in 'db'.
1465 * Sets '*ok' to ISC_TRUE if the update is legal, ISC_FALSE if not.
1467 * William King points out that RFC2136 is inconsistent about
1468 * the case where the serial number stays unchanged:
1470 * section 3.4.2.2 requires a server to ignore a SOA update request
1471 * if the serial number on the update SOA is less_than_or_equal to
1472 * the zone SOA serial.
1474 * section 3.6 requires a server to ignore a SOA update request if
1475 * the serial is less_than the zone SOA serial.
1477 * Paul says 3.4.2.2 is correct.
1481 check_soa_increment(dns_db_t *db, dns_dbversion_t *ver,
1482 dns_rdata_t *update_rdata, isc_boolean_t *ok)
1484 isc_uint32_t db_serial;
1485 isc_uint32_t update_serial;
1486 isc_result_t result;
1488 update_serial = dns_soa_getserial(update_rdata);
1490 result = dns_db_getsoaserial(db, ver, &db_serial);
1491 if (result != ISC_R_SUCCESS)
1494 if (DNS_SERIAL_GE(db_serial, update_serial)) {
1500 return (ISC_R_SUCCESS);
1504 /**************************************************************************/
1506 * Incremental updating of NSECs and RRSIGs.
1510 * We abuse the dns_diff_t type to represent a set of domain names
1511 * affected by the update.
1514 namelist_append_name(dns_diff_t *list, dns_name_t *name) {
1515 isc_result_t result;
1516 dns_difftuple_t *tuple = NULL;
1517 static dns_rdata_t dummy_rdata = DNS_RDATA_INIT;
1519 CHECK(dns_difftuple_create(list->mctx, DNS_DIFFOP_EXISTS, name, 0,
1520 &dummy_rdata, &tuple));
1521 dns_diff_append(list, &tuple);
1527 namelist_append_subdomain(dns_db_t *db, dns_name_t *name, dns_diff_t *affected)
1529 isc_result_t result;
1530 dns_fixedname_t fixedname;
1532 dns_dbiterator_t *dbit = NULL;
1534 dns_fixedname_init(&fixedname);
1535 child = dns_fixedname_name(&fixedname);
1537 CHECK(dns_db_createiterator(db, DNS_DB_NONSEC3, &dbit));
1539 for (result = dns_dbiterator_seek(dbit, name);
1540 result == ISC_R_SUCCESS;
1541 result = dns_dbiterator_next(dbit))
1543 dns_dbnode_t *node = NULL;
1544 CHECK(dns_dbiterator_current(dbit, &node, child));
1545 dns_db_detachnode(db, &node);
1546 if (! dns_name_issubdomain(child, name))
1548 CHECK(namelist_append_name(affected, child));
1550 if (result == ISC_R_NOMORE)
1551 result = ISC_R_SUCCESS;
1554 dns_dbiterator_destroy(&dbit);
1561 * Helper function for non_nsec_rrset_exists().
1564 is_non_nsec_action(void *data, dns_rdataset_t *rrset) {
1566 if (!(rrset->type == dns_rdatatype_nsec ||
1567 rrset->type == dns_rdatatype_nsec3 ||
1568 (rrset->type == dns_rdatatype_rrsig &&
1569 (rrset->covers == dns_rdatatype_nsec ||
1570 rrset->covers == dns_rdatatype_nsec3))))
1571 return (ISC_R_EXISTS);
1572 return (ISC_R_SUCCESS);
1576 * Check whether there is an rrset other than a NSEC or RRSIG NSEC,
1577 * i.e., anything that justifies the continued existence of a name
1578 * after a secure update.
1580 * If such an rrset exists, set '*exists' to ISC_TRUE.
1581 * Otherwise, set it to ISC_FALSE.
1584 non_nsec_rrset_exists(dns_db_t *db, dns_dbversion_t *ver,
1585 dns_name_t *name, isc_boolean_t *exists)
1587 isc_result_t result;
1588 result = foreach_rrset(db, ver, name, is_non_nsec_action, NULL);
1589 RETURN_EXISTENCE_FLAG;
1593 * A comparison function for sorting dns_diff_t:s by name.
1596 name_order(const void *av, const void *bv) {
1597 dns_difftuple_t const * const *ap = av;
1598 dns_difftuple_t const * const *bp = bv;
1599 dns_difftuple_t const *a = *ap;
1600 dns_difftuple_t const *b = *bp;
1601 return (dns_name_compare(&a->name, &b->name));
1605 uniqify_name_list(dns_diff_t *list) {
1606 isc_result_t result;
1607 dns_difftuple_t *p, *q;
1609 CHECK(dns_diff_sort(list, name_order));
1611 p = ISC_LIST_HEAD(list->tuples);
1614 q = ISC_LIST_NEXT(p, link);
1615 if (q == NULL || ! dns_name_equal(&p->name, &q->name))
1617 ISC_LIST_UNLINK(list->tuples, q, link);
1618 dns_difftuple_free(&q);
1620 p = ISC_LIST_NEXT(p, link);
1627 is_active(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
1628 isc_boolean_t *flag, isc_boolean_t *cut, isc_boolean_t *unsecure)
1630 isc_result_t result;
1631 dns_fixedname_t foundname;
1632 dns_fixedname_init(&foundname);
1633 result = dns_db_find(db, name, ver, dns_rdatatype_any,
1634 DNS_DBFIND_GLUEOK | DNS_DBFIND_NOWILD,
1635 (isc_stdtime_t) 0, NULL,
1636 dns_fixedname_name(&foundname),
1638 if (result == ISC_R_SUCCESS || result == DNS_R_EMPTYNAME) {
1641 if (unsecure != NULL)
1642 *unsecure = ISC_FALSE;
1643 return (ISC_R_SUCCESS);
1644 } else if (result == DNS_R_ZONECUT) {
1647 if (unsecure != NULL) {
1649 * We are at the zonecut. Check to see if there
1652 if (dns_db_find(db, name, ver, dns_rdatatype_ds, 0,
1653 (isc_stdtime_t) 0, NULL,
1654 dns_fixedname_name(&foundname),
1655 NULL, NULL) == DNS_R_NXRRSET)
1656 *unsecure = ISC_TRUE;
1658 *unsecure = ISC_FALSE;
1660 return (ISC_R_SUCCESS);
1661 } else if (result == DNS_R_GLUE || result == DNS_R_DNAME ||
1662 result == DNS_R_DELEGATION || result == DNS_R_NXDOMAIN) {
1665 if (unsecure != NULL)
1666 *unsecure = ISC_FALSE;
1667 return (ISC_R_SUCCESS);
1674 if (unsecure != NULL)
1675 *unsecure = ISC_FALSE;
1681 * Find the next/previous name that has a NSEC record.
1682 * In other words, skip empty database nodes and names that
1683 * have had their NSECs removed because they are obscured by
1687 next_active(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
1688 dns_dbversion_t *ver, dns_name_t *oldname, dns_name_t *newname,
1689 isc_boolean_t forward)
1691 isc_result_t result;
1692 dns_dbiterator_t *dbit = NULL;
1693 isc_boolean_t has_nsec = ISC_FALSE;
1694 unsigned int wraps = 0;
1695 isc_boolean_t secure = dns_db_issecure(db);
1697 CHECK(dns_db_createiterator(db, 0, &dbit));
1699 CHECK(dns_dbiterator_seek(dbit, oldname));
1701 dns_dbnode_t *node = NULL;
1704 result = dns_dbiterator_next(dbit);
1706 result = dns_dbiterator_prev(dbit);
1707 if (result == ISC_R_NOMORE) {
1712 CHECK(dns_dbiterator_first(dbit));
1714 CHECK(dns_dbiterator_last(dbit));
1717 update_log(client, zone, ISC_LOG_ERROR,
1718 "secure zone with no NSECs");
1719 result = DNS_R_BADZONE;
1723 CHECK(dns_dbiterator_current(dbit, &node, newname));
1724 dns_db_detachnode(db, &node);
1727 * The iterator may hold the tree lock, and
1728 * rrset_exists() calls dns_db_findnode() which
1729 * may try to reacquire it. To avoid deadlock
1730 * we must pause the iterator first.
1732 CHECK(dns_dbiterator_pause(dbit));
1734 CHECK(rrset_exists(db, ver, newname,
1735 dns_rdatatype_nsec, 0, &has_nsec));
1737 dns_fixedname_t ffound;
1739 dns_fixedname_init(&ffound);
1740 found = dns_fixedname_name(&ffound);
1741 result = dns_db_find(db, newname, ver,
1743 DNS_DBFIND_NOWILD, 0, NULL, found,
1745 if (result == ISC_R_SUCCESS ||
1746 result == DNS_R_EMPTYNAME ||
1747 result == DNS_R_NXRRSET ||
1748 result == DNS_R_CNAME ||
1749 (result == DNS_R_DELEGATION &&
1750 dns_name_equal(newname, found))) {
1751 has_nsec = ISC_TRUE;
1752 result = ISC_R_SUCCESS;
1753 } else if (result != DNS_R_NXDOMAIN)
1756 } while (! has_nsec);
1759 dns_dbiterator_destroy(&dbit);
1765 * Add a NSEC record for "name", recording the change in "diff".
1766 * The existing NSEC is removed.
1769 add_nsec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
1770 dns_dbversion_t *ver, dns_name_t *name, dns_ttl_t nsecttl,
1773 isc_result_t result;
1774 dns_dbnode_t *node = NULL;
1775 unsigned char buffer[DNS_NSEC_BUFFERSIZE];
1776 dns_rdata_t rdata = DNS_RDATA_INIT;
1777 dns_difftuple_t *tuple = NULL;
1778 dns_fixedname_t fixedname;
1781 dns_fixedname_init(&fixedname);
1782 target = dns_fixedname_name(&fixedname);
1785 * Find the successor name, aka NSEC target.
1787 CHECK(next_active(client, zone, db, ver, name, target, ISC_TRUE));
1790 * Create the NSEC RDATA.
1792 CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
1793 dns_rdata_init(&rdata);
1794 CHECK(dns_nsec_buildrdata(db, ver, node, target, buffer, &rdata));
1795 dns_db_detachnode(db, &node);
1798 * Delete the old NSEC and record the change.
1800 CHECK(delete_if(true_p, db, ver, name, dns_rdatatype_nsec, 0,
1803 * Add the new NSEC and record the change.
1805 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name,
1806 nsecttl, &rdata, &tuple));
1807 CHECK(do_one_tuple(&tuple, db, ver, diff));
1808 INSIST(tuple == NULL);
1812 dns_db_detachnode(db, &node);
1817 * Add a placeholder NSEC record for "name", recording the change in "diff".
1820 add_placeholder_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
1823 isc_result_t result;
1824 dns_difftuple_t *tuple = NULL;
1826 unsigned char data[1] = { 0 }; /* The root domain, no bits. */
1827 dns_rdata_t rdata = DNS_RDATA_INIT;
1830 r.length = sizeof(data);
1831 dns_rdata_fromregion(&rdata, dns_db_class(db), dns_rdatatype_nsec, &r);
1832 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name, 0,
1834 CHECK(do_one_tuple(&tuple, db, ver, diff));
1840 find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
1841 isc_mem_t *mctx, unsigned int maxkeys,
1842 dst_key_t **keys, unsigned int *nkeys)
1844 isc_result_t result;
1845 dns_dbnode_t *node = NULL;
1846 const char *directory = dns_zone_getkeydirectory(zone);
1847 CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
1848 CHECK(dns_dnssec_findzonekeys2(db, ver, node, dns_db_origin(db),
1849 directory, mctx, maxkeys, keys, nkeys));
1852 dns_db_detachnode(db, &node);
1857 * Add RRSIG records for an RRset, recording the change in "diff".
1860 add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
1861 dns_dbversion_t *ver, dns_name_t *name, dns_rdatatype_t type,
1862 dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys,
1863 isc_stdtime_t inception, isc_stdtime_t expire,
1864 isc_boolean_t check_ksk, isc_boolean_t keyset_kskonly)
1866 isc_result_t result;
1867 dns_dbnode_t *node = NULL;
1868 dns_rdataset_t rdataset;
1869 dns_rdata_t sig_rdata = DNS_RDATA_INIT;
1870 isc_buffer_t buffer;
1871 unsigned char data[1024]; /* XXX */
1873 isc_boolean_t added_sig = ISC_FALSE;
1874 isc_mem_t *mctx = client->mctx;
1876 dns_rdataset_init(&rdataset);
1877 isc_buffer_init(&buffer, data, sizeof(data));
1879 /* Get the rdataset to sign. */
1880 if (type == dns_rdatatype_nsec3)
1881 CHECK(dns_db_findnsec3node(db, name, ISC_FALSE, &node));
1883 CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
1884 CHECK(dns_db_findrdataset(db, node, ver, type, 0,
1885 (isc_stdtime_t) 0, &rdataset, NULL));
1886 dns_db_detachnode(db, &node);
1888 #define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)
1889 #define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0)
1890 #define ALG(x) dst_key_alg(x)
1893 * If we are honoring KSK flags then we need to check that we
1894 * have both KSK and non-KSK keys that are not revoked per
1897 for (i = 0; i < nkeys; i++) {
1898 isc_boolean_t both = ISC_FALSE;
1900 if (!dst_key_isprivate(keys[i]))
1903 if (check_ksk && !REVOKE(keys[i])) {
1904 isc_boolean_t have_ksk, have_nonksk;
1906 have_ksk = ISC_TRUE;
1907 have_nonksk = ISC_FALSE;
1909 have_ksk = ISC_FALSE;
1910 have_nonksk = ISC_TRUE;
1912 for (j = 0; j < nkeys; j++) {
1913 if (j == i || ALG(keys[i]) != ALG(keys[j]))
1915 if (REVOKE(keys[j]))
1918 have_ksk = ISC_TRUE;
1920 have_nonksk = ISC_TRUE;
1921 both = have_ksk && have_nonksk;
1928 if (type == dns_rdatatype_dnskey) {
1929 if (!KSK(keys[i]) && keyset_kskonly)
1931 } else if (KSK(keys[i]))
1933 } else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey)
1936 /* Calculate the signature, creating a RRSIG RDATA. */
1937 CHECK(dns_dnssec_sign(name, &rdataset, keys[i],
1938 &inception, &expire,
1939 mctx, &buffer, &sig_rdata));
1941 /* Update the database and journal with the RRSIG. */
1942 /* XXX inefficient - will cause dataset merging */
1943 CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADDRESIGN, name,
1944 rdataset.ttl, &sig_rdata));
1945 dns_rdata_reset(&sig_rdata);
1946 isc_buffer_init(&buffer, data, sizeof(data));
1947 added_sig = ISC_TRUE;
1950 update_log(client, zone, ISC_LOG_ERROR,
1951 "found no active private keys, "
1952 "unable to generate any signatures");
1953 result = ISC_R_NOTFOUND;
1957 if (dns_rdataset_isassociated(&rdataset))
1958 dns_rdataset_disassociate(&rdataset);
1960 dns_db_detachnode(db, &node);
1965 * Delete expired RRsigs and any RRsigs we are about to re-sign.
1966 * See also zone.c:del_sigs().
1969 del_keysigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
1970 dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys)
1972 isc_result_t result;
1973 dns_dbnode_t *node = NULL;
1974 dns_rdataset_t rdataset;
1975 dns_rdata_t rdata = DNS_RDATA_INIT;
1977 dns_rdata_rrsig_t rrsig;
1978 isc_boolean_t found;
1980 dns_rdataset_init(&rdataset);
1982 result = dns_db_findnode(db, name, ISC_FALSE, &node);
1983 if (result == ISC_R_NOTFOUND)
1984 return (ISC_R_SUCCESS);
1985 if (result != ISC_R_SUCCESS)
1987 result = dns_db_findrdataset(db, node, ver, dns_rdatatype_rrsig,
1988 dns_rdatatype_dnskey, (isc_stdtime_t) 0,
1990 dns_db_detachnode(db, &node);
1992 if (result == ISC_R_NOTFOUND)
1993 return (ISC_R_SUCCESS);
1994 if (result != ISC_R_SUCCESS)
1997 for (result = dns_rdataset_first(&rdataset);
1998 result == ISC_R_SUCCESS;
1999 result = dns_rdataset_next(&rdataset)) {
2000 dns_rdataset_current(&rdataset, &rdata);
2001 result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
2002 RUNTIME_CHECK(result == ISC_R_SUCCESS);
2004 for (i = 0; i < nkeys; i++) {
2005 if (rrsig.keyid == dst_key_id(keys[i])) {
2007 if (!dst_key_isprivate(keys[i])) {
2009 * The re-signing code in zone.c
2010 * will mark this as offline.
2011 * Just skip the record for now.
2015 result = update_one_rr(db, ver, diff,
2016 DNS_DIFFOP_DEL, name,
2017 rdataset.ttl, &rdata);
2022 * If there is not a matching DNSKEY then delete the RRSIG.
2025 result = update_one_rr(db, ver, diff, DNS_DIFFOP_DEL,
2026 name, rdataset.ttl, &rdata);
2027 dns_rdata_reset(&rdata);
2028 if (result != ISC_R_SUCCESS)
2031 dns_rdataset_disassociate(&rdataset);
2032 if (result == ISC_R_NOMORE)
2033 result = ISC_R_SUCCESS;
2036 dns_db_detachnode(db, &node);
2041 add_exposed_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
2042 dns_dbversion_t *ver, dns_name_t *name, isc_boolean_t cut,
2043 dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys,
2044 isc_stdtime_t inception, isc_stdtime_t expire,
2045 isc_boolean_t check_ksk, isc_boolean_t keyset_kskonly)
2047 isc_result_t result;
2049 dns_rdatasetiter_t *iter;
2052 result = dns_db_findnode(db, name, ISC_FALSE, &node);
2053 if (result == ISC_R_NOTFOUND)
2054 return (ISC_R_SUCCESS);
2055 if (result != ISC_R_SUCCESS)
2059 result = dns_db_allrdatasets(db, node, ver,
2060 (isc_stdtime_t) 0, &iter);
2061 if (result != ISC_R_SUCCESS)
2064 for (result = dns_rdatasetiter_first(iter);
2065 result == ISC_R_SUCCESS;
2066 result = dns_rdatasetiter_next(iter))
2068 dns_rdataset_t rdataset;
2069 dns_rdatatype_t type;
2072 dns_rdataset_init(&rdataset);
2073 dns_rdatasetiter_current(iter, &rdataset);
2074 type = rdataset.type;
2075 dns_rdataset_disassociate(&rdataset);
2078 * We don't need to sign unsigned NSEC records at the cut
2079 * as they are handled elsewhere.
2081 if ((type == dns_rdatatype_rrsig) ||
2082 (cut && type != dns_rdatatype_ds))
2084 result = rrset_exists(db, ver, name, dns_rdatatype_rrsig,
2086 if (result != ISC_R_SUCCESS)
2087 goto cleanup_iterator;
2090 result = add_sigs(client, zone, db, ver, name, type, diff,
2091 keys, nkeys, inception, expire,
2092 check_ksk, keyset_kskonly);
2093 if (result != ISC_R_SUCCESS)
2094 goto cleanup_iterator;
2096 if (result == ISC_R_NOMORE)
2097 result = ISC_R_SUCCESS;
2100 dns_rdatasetiter_destroy(&iter);
2103 dns_db_detachnode(db, &node);
2109 * Update RRSIG, NSEC and NSEC3 records affected by an update. The original
2110 * update, including the SOA serial update but excluding the RRSIG & NSEC
2111 * changes, is in "diff" and has already been applied to "newver" of "db".
2112 * The database version prior to the update is "oldver".
2114 * The necessary RRSIG, NSEC and NSEC3 changes will be applied to "newver"
2115 * and added (as a minimal diff) to "diff".
2117 * The RRSIGs generated will be valid for 'sigvalidityinterval' seconds.
2120 update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
2121 dns_dbversion_t *oldver, dns_dbversion_t *newver,
2122 dns_diff_t *diff, isc_uint32_t sigvalidityinterval)
2124 isc_result_t result;
2126 dns_diff_t diffnames;
2127 dns_diff_t affected;
2128 dns_diff_t sig_diff;
2129 dns_diff_t nsec_diff;
2130 dns_diff_t nsec_mindiff;
2131 isc_boolean_t flag, build_nsec, build_nsec3;
2132 dst_key_t *zone_keys[DNS_MAXZONEKEYS];
2133 unsigned int nkeys = 0;
2135 isc_stdtime_t now, inception, expire;
2137 dns_rdata_soa_t soa;
2138 dns_rdata_t rdata = DNS_RDATA_INIT;
2139 dns_rdataset_t rdataset;
2140 dns_dbnode_t *node = NULL;
2141 isc_boolean_t check_ksk, keyset_kskonly;
2142 isc_boolean_t unsecure;
2144 dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
2146 dns_diff_init(client->mctx, &diffnames);
2147 dns_diff_init(client->mctx, &affected);
2149 dns_diff_init(client->mctx, &sig_diff);
2150 sig_diff.resign = dns_zone_getsigresigninginterval(zone);
2151 dns_diff_init(client->mctx, &nsec_diff);
2152 dns_diff_init(client->mctx, &nsec_mindiff);
2154 result = find_zone_keys(zone, db, newver, client->mctx,
2155 DNS_MAXZONEKEYS, zone_keys, &nkeys);
2156 if (result != ISC_R_SUCCESS) {
2157 update_log(client, zone, ISC_LOG_ERROR,
2158 "could not get zone keys for secure dynamic update");
2162 isc_stdtime_get(&now);
2163 inception = now - 3600; /* Allow for some clock skew. */
2164 expire = now + sigvalidityinterval;
2167 * Do we look at the KSK flag on the DNSKEY to determining which
2168 * keys sign which RRsets? First check the zone option then
2169 * check the keys flags to make sure at least one has a ksk set
2172 check_ksk = ISC_TF((dns_zone_getoptions(zone) &
2173 DNS_ZONEOPT_UPDATECHECKKSK) != 0);
2174 keyset_kskonly = ISC_TF((dns_zone_getoptions(zone) &
2175 DNS_ZONEOPT_DNSKEYKSKONLY) != 0);
2178 * Get the NSEC/NSEC3 TTL from the SOA MINIMUM field.
2180 CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
2181 dns_rdataset_init(&rdataset);
2182 CHECK(dns_db_findrdataset(db, node, newver, dns_rdatatype_soa, 0,
2183 (isc_stdtime_t) 0, &rdataset, NULL));
2184 CHECK(dns_rdataset_first(&rdataset));
2185 dns_rdataset_current(&rdataset, &rdata);
2186 CHECK(dns_rdata_tostruct(&rdata, &soa, NULL));
2187 nsecttl = soa.minimum;
2188 dns_rdataset_disassociate(&rdataset);
2189 dns_db_detachnode(db, &node);
2192 * Find all RRsets directly affected by the update, and
2193 * update their RRSIGs. Also build a list of names affected
2194 * by the update in "diffnames".
2196 CHECK(dns_diff_sort(diff, temp_order));
2198 t = ISC_LIST_HEAD(diff->tuples);
2200 dns_name_t *name = &t->name;
2201 /* Now "name" is a new, unique name affected by the update. */
2203 CHECK(namelist_append_name(&diffnames, name));
2205 while (t != NULL && dns_name_equal(&t->name, name)) {
2206 dns_rdatatype_t type;
2207 type = t->rdata.type;
2210 * Now "name" and "type" denote a new unique RRset
2211 * affected by the update.
2214 /* Don't sign RRSIGs. */
2215 if (type == dns_rdatatype_rrsig)
2219 * Delete all old RRSIGs covering this type, since they
2220 * are all invalid when the signed RRset has changed.
2221 * We may not be able to recreate all of them - tough.
2222 * Special case changes to the zone's DNSKEY records
2223 * to support offline KSKs.
2225 if (type == dns_rdatatype_dnskey)
2226 del_keysigs(db, newver, name, &sig_diff,
2229 CHECK(delete_if(true_p, db, newver, name,
2230 dns_rdatatype_rrsig, type,
2234 * If this RRset is still visible after the update,
2235 * add a new signature for it.
2237 CHECK(rrset_visible(db, newver, name, type, &flag));
2239 CHECK(add_sigs(client, zone, db, newver, name,
2240 type, &sig_diff, zone_keys,
2241 nkeys, inception, expire,
2242 check_ksk, keyset_kskonly));
2245 /* Skip any other updates to the same RRset. */
2247 dns_name_equal(&t->name, name) &&
2248 t->rdata.type == type)
2250 t = ISC_LIST_NEXT(t, link);
2254 update_log(client, zone, ISC_LOG_DEBUG(3), "updated data signatures");
2256 /* Remove orphaned NSECs and RRSIG NSECs. */
2257 for (t = ISC_LIST_HEAD(diffnames.tuples);
2259 t = ISC_LIST_NEXT(t, link))
2261 CHECK(non_nsec_rrset_exists(db, newver, &t->name, &flag));
2263 CHECK(delete_if(true_p, db, newver, &t->name,
2264 dns_rdatatype_any, 0,
2268 update_log(client, zone, ISC_LOG_DEBUG(3),
2269 "removed any orphaned NSEC records");
2272 * See if we need to build NSEC or NSEC3 chains.
2274 CHECK(dns_private_chains(db, newver, privatetype, &build_nsec,
2279 update_log(client, zone, ISC_LOG_DEBUG(3), "rebuilding NSEC chain");
2282 * When a name is created or deleted, its predecessor needs to
2283 * have its NSEC updated.
2285 for (t = ISC_LIST_HEAD(diffnames.tuples);
2287 t = ISC_LIST_NEXT(t, link))
2289 isc_boolean_t existed, exists;
2290 dns_fixedname_t fixedname;
2291 dns_name_t *prevname;
2293 dns_fixedname_init(&fixedname);
2294 prevname = dns_fixedname_name(&fixedname);
2296 CHECK(name_exists(db, oldver, &t->name, &existed));
2297 CHECK(name_exists(db, newver, &t->name, &exists));
2298 if (exists == existed)
2302 * Find the predecessor.
2303 * When names become obscured or unobscured in this update
2304 * transaction, we may find the wrong predecessor because
2305 * the NSECs have not yet been updated to reflect the delegation
2306 * change. This should not matter because in this case,
2307 * the correct predecessor is either the delegation node or
2308 * a newly unobscured node, and those nodes are on the
2309 * "affected" list in any case.
2311 CHECK(next_active(client, zone, db, newver,
2312 &t->name, prevname, ISC_FALSE));
2313 CHECK(namelist_append_name(&affected, prevname));
2317 * Find names potentially affected by delegation changes
2318 * (obscured by adding an NS or DNAME, or unobscured by
2321 for (t = ISC_LIST_HEAD(diffnames.tuples);
2323 t = ISC_LIST_NEXT(t, link))
2325 isc_boolean_t ns_existed, dname_existed;
2326 isc_boolean_t ns_exists, dname_exists;
2328 CHECK(rrset_exists(db, oldver, &t->name, dns_rdatatype_ns, 0,
2330 CHECK(rrset_exists(db, oldver, &t->name, dns_rdatatype_dname, 0,
2332 CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_ns, 0,
2334 CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_dname, 0,
2336 if ((ns_exists || dname_exists) == (ns_existed || dname_existed))
2339 * There was a delegation change. Mark all subdomains
2340 * of t->name as potentially needing a NSEC update.
2342 CHECK(namelist_append_subdomain(db, &t->name, &affected));
2345 ISC_LIST_APPENDLIST(affected.tuples, diffnames.tuples, link);
2346 INSIST(ISC_LIST_EMPTY(diffnames.tuples));
2348 CHECK(uniqify_name_list(&affected));
2351 * Determine which names should have NSECs, and delete/create
2352 * NSECs to make it so. We don't know the final NSEC targets yet,
2353 * so we just create placeholder NSECs with arbitrary contents
2354 * to indicate that their respective owner names should be part of
2357 for (t = ISC_LIST_HEAD(affected.tuples);
2359 t = ISC_LIST_NEXT(t, link))
2361 isc_boolean_t exists;
2362 dns_name_t *name = &t->name;
2364 CHECK(name_exists(db, newver, name, &exists));
2367 CHECK(is_active(db, newver, name, &flag, &cut, NULL));
2370 * This name is obscured. Delete any
2371 * existing NSEC record.
2373 CHECK(delete_if(true_p, db, newver, name,
2374 dns_rdatatype_nsec, 0,
2376 CHECK(delete_if(rrsig_p, db, newver, name,
2377 dns_rdatatype_any, 0, NULL, diff));
2380 * This name is not obscured. It needs to have a
2381 * NSEC unless it is the at the origin, in which
2382 * case it should already exist if there is a complete
2383 * NSEC chain and if there isn't a complete NSEC chain
2384 * we don't want to add one as that would signal that
2385 * there is a complete NSEC chain.
2387 if (!dns_name_equal(name, dns_db_origin(db))) {
2388 CHECK(rrset_exists(db, newver, name,
2389 dns_rdatatype_nsec, 0,
2392 CHECK(add_placeholder_nsec(db, newver,
2395 CHECK(add_exposed_sigs(client, zone, db, newver, name,
2396 cut, &sig_diff, zone_keys, nkeys,
2397 inception, expire, check_ksk,
2403 * Now we know which names are part of the NSEC chain.
2404 * Make them all point at their correct targets.
2406 for (t = ISC_LIST_HEAD(affected.tuples);
2408 t = ISC_LIST_NEXT(t, link))
2410 CHECK(rrset_exists(db, newver, &t->name,
2411 dns_rdatatype_nsec, 0, &flag));
2414 * There is a NSEC, but we don't know if it is correct.
2415 * Delete it and create a correct one to be sure.
2416 * If the update was unnecessary, the diff minimization
2417 * will take care of eliminating it from the journal,
2420 * The RRSIG bit should always be set in the NSECs
2421 * we generate, because they will all get RRSIG NSECs.
2422 * (XXX what if the zone keys are missing?).
2423 * Because the RRSIG NSECs have not necessarily been
2424 * created yet, the correctness of the bit mask relies
2425 * on the assumption that NSECs are only created if
2426 * there is other data, and if there is other data,
2427 * there are other RRSIGs.
2429 CHECK(add_nsec(client, zone, db, newver, &t->name,
2430 nsecttl, &nsec_diff));
2435 * Minimize the set of NSEC updates so that we don't
2436 * have to regenerate the RRSIG NSECs for NSECs that were
2437 * replaced with identical ones.
2439 while ((t = ISC_LIST_HEAD(nsec_diff.tuples)) != NULL) {
2440 ISC_LIST_UNLINK(nsec_diff.tuples, t, link);
2441 dns_diff_appendminimal(&nsec_mindiff, &t);
2444 update_log(client, zone, ISC_LOG_DEBUG(3),
2445 "signing rebuilt NSEC chain");
2447 /* Update RRSIG NSECs. */
2448 for (t = ISC_LIST_HEAD(nsec_mindiff.tuples);
2450 t = ISC_LIST_NEXT(t, link))
2452 if (t->op == DNS_DIFFOP_DEL) {
2453 CHECK(delete_if(true_p, db, newver, &t->name,
2454 dns_rdatatype_rrsig, dns_rdatatype_nsec,
2456 } else if (t->op == DNS_DIFFOP_ADD) {
2457 CHECK(add_sigs(client, zone, db, newver, &t->name,
2458 dns_rdatatype_nsec, &sig_diff,
2459 zone_keys, nkeys, inception, expire,
2460 check_ksk, keyset_kskonly));
2468 /* Record our changes for the journal. */
2469 while ((t = ISC_LIST_HEAD(sig_diff.tuples)) != NULL) {
2470 ISC_LIST_UNLINK(sig_diff.tuples, t, link);
2471 dns_diff_appendminimal(diff, &t);
2473 while ((t = ISC_LIST_HEAD(nsec_mindiff.tuples)) != NULL) {
2474 ISC_LIST_UNLINK(nsec_mindiff.tuples, t, link);
2475 dns_diff_appendminimal(diff, &t);
2478 INSIST(ISC_LIST_EMPTY(sig_diff.tuples));
2479 INSIST(ISC_LIST_EMPTY(nsec_diff.tuples));
2480 INSIST(ISC_LIST_EMPTY(nsec_mindiff.tuples));
2483 update_log(client, zone, ISC_LOG_DEBUG(3),
2484 "no NSEC3 chains to rebuild");
2488 update_log(client, zone, ISC_LOG_DEBUG(3), "rebuilding NSEC3 chains");
2490 dns_diff_clear(&diffnames);
2491 dns_diff_clear(&affected);
2493 CHECK(dns_diff_sort(diff, temp_order));
2496 * Find names potentially affected by delegation changes
2497 * (obscured by adding an NS or DNAME, or unobscured by
2500 t = ISC_LIST_HEAD(diff->tuples);
2502 dns_name_t *name = &t->name;
2504 isc_boolean_t ns_existed, dname_existed;
2505 isc_boolean_t ns_exists, dname_exists;
2506 isc_boolean_t exists, existed;
2508 if (t->rdata.type == dns_rdatatype_nsec ||
2509 t->rdata.type == dns_rdatatype_rrsig) {
2510 t = ISC_LIST_NEXT(t, link);
2514 CHECK(namelist_append_name(&affected, name));
2516 CHECK(rrset_exists(db, oldver, name, dns_rdatatype_ns, 0,
2518 CHECK(rrset_exists(db, oldver, name, dns_rdatatype_dname, 0,
2520 CHECK(rrset_exists(db, newver, name, dns_rdatatype_ns, 0,
2522 CHECK(rrset_exists(db, newver, name, dns_rdatatype_dname, 0,
2525 exists = ns_exists || dname_exists;
2526 existed = ns_existed || dname_existed;
2527 if (exists == existed)
2530 * There was a delegation change. Mark all subdomains
2531 * of t->name as potentially needing a NSEC3 update.
2533 CHECK(namelist_append_subdomain(db, name, &affected));
2536 while (t != NULL && dns_name_equal(&t->name, name))
2537 t = ISC_LIST_NEXT(t, link);
2540 for (t = ISC_LIST_HEAD(affected.tuples);
2542 t = ISC_LIST_NEXT(t, link)) {
2543 dns_name_t *name = &t->name;
2545 unsecure = ISC_FALSE; /* Silence compiler warning. */
2546 CHECK(is_active(db, newver, name, &flag, &cut, &unsecure));
2549 CHECK(delete_if(rrsig_p, db, newver, name,
2550 dns_rdatatype_any, 0, NULL, diff));
2551 CHECK(dns_nsec3_delnsec3sx(db, newver, name,
2552 privatetype, &nsec_diff));
2554 CHECK(add_exposed_sigs(client, zone, db, newver, name,
2555 cut, &sig_diff, zone_keys, nkeys,
2556 inception, expire, check_ksk,
2558 CHECK(dns_nsec3_addnsec3sx(db, newver, name, nsecttl,
2559 unsecure, privatetype,
2565 * Minimize the set of NSEC3 updates so that we don't
2566 * have to regenerate the RRSIG NSEC3s for NSEC3s that were
2567 * replaced with identical ones.
2569 while ((t = ISC_LIST_HEAD(nsec_diff.tuples)) != NULL) {
2570 ISC_LIST_UNLINK(nsec_diff.tuples, t, link);
2571 dns_diff_appendminimal(&nsec_mindiff, &t);
2574 update_log(client, zone, ISC_LOG_DEBUG(3),
2575 "signing rebuilt NSEC3 chain");
2577 /* Update RRSIG NSEC3s. */
2578 for (t = ISC_LIST_HEAD(nsec_mindiff.tuples);
2580 t = ISC_LIST_NEXT(t, link))
2582 if (t->op == DNS_DIFFOP_DEL) {
2583 CHECK(delete_if(true_p, db, newver, &t->name,
2584 dns_rdatatype_rrsig,
2585 dns_rdatatype_nsec3,
2587 } else if (t->op == DNS_DIFFOP_ADD) {
2588 CHECK(add_sigs(client, zone, db, newver, &t->name,
2589 dns_rdatatype_nsec3,
2590 &sig_diff, zone_keys, nkeys,
2591 inception, expire, check_ksk,
2598 /* Record our changes for the journal. */
2599 while ((t = ISC_LIST_HEAD(sig_diff.tuples)) != NULL) {
2600 ISC_LIST_UNLINK(sig_diff.tuples, t, link);
2601 dns_diff_appendminimal(diff, &t);
2603 while ((t = ISC_LIST_HEAD(nsec_mindiff.tuples)) != NULL) {
2604 ISC_LIST_UNLINK(nsec_mindiff.tuples, t, link);
2605 dns_diff_appendminimal(diff, &t);
2608 INSIST(ISC_LIST_EMPTY(sig_diff.tuples));
2609 INSIST(ISC_LIST_EMPTY(nsec_diff.tuples));
2610 INSIST(ISC_LIST_EMPTY(nsec_mindiff.tuples));
2613 dns_diff_clear(&sig_diff);
2614 dns_diff_clear(&nsec_diff);
2615 dns_diff_clear(&nsec_mindiff);
2617 dns_diff_clear(&affected);
2618 dns_diff_clear(&diffnames);
2620 for (i = 0; i < nkeys; i++)
2621 dst_key_free(&zone_keys[i]);
2627 /**************************************************************************/
2629 * The actual update code in all its glory. We try to follow
2630 * the RFC2136 pseudocode as closely as possible.
2634 send_update_event(ns_client_t *client, dns_zone_t *zone) {
2635 isc_result_t result = ISC_R_SUCCESS;
2636 update_event_t *event = NULL;
2637 isc_task_t *zonetask = NULL;
2638 ns_client_t *evclient;
2640 event = (update_event_t *)
2641 isc_event_allocate(client->mctx, client, DNS_EVENT_UPDATE,
2642 update_action, NULL, sizeof(*event));
2644 FAIL(ISC_R_NOMEMORY);
2646 event->result = ISC_R_SUCCESS;
2649 ns_client_attach(client, &evclient);
2650 INSIST(client->nupdates == 0);
2652 event->ev_arg = evclient;
2654 dns_zone_gettask(zone, &zonetask);
2655 isc_task_send(zonetask, ISC_EVENT_PTR(&event));
2659 isc_event_free(ISC_EVENT_PTR(&event));
2664 respond(ns_client_t *client, isc_result_t result) {
2665 isc_result_t msg_result;
2667 msg_result = dns_message_reply(client->message, ISC_TRUE);
2668 if (msg_result != ISC_R_SUCCESS)
2670 client->message->rcode = dns_result_torcode(result);
2672 ns_client_send(client);
2676 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_UPDATE, NS_LOGMODULE_UPDATE,
2678 "could not create update response message: %s",
2679 isc_result_totext(msg_result));
2680 ns_client_next(client, msg_result);
2684 ns_update_start(ns_client_t *client, isc_result_t sigresult) {
2685 dns_message_t *request = client->message;
2686 isc_result_t result;
2687 dns_name_t *zonename;
2688 dns_rdataset_t *zone_rdataset;
2689 dns_zone_t *zone = NULL;
2692 * Interpret the zone section.
2694 result = dns_message_firstname(request, DNS_SECTION_ZONE);
2695 if (result != ISC_R_SUCCESS)
2696 FAILC(DNS_R_FORMERR, "update zone section empty");
2699 * The zone section must contain exactly one "question", and
2700 * it must be of type SOA.
2703 dns_message_currentname(request, DNS_SECTION_ZONE, &zonename);
2704 zone_rdataset = ISC_LIST_HEAD(zonename->list);
2705 if (zone_rdataset->type != dns_rdatatype_soa)
2706 FAILC(DNS_R_FORMERR,
2707 "update zone section contains non-SOA");
2708 if (ISC_LIST_NEXT(zone_rdataset, link) != NULL)
2709 FAILC(DNS_R_FORMERR,
2710 "update zone section contains multiple RRs");
2712 /* The zone section must have exactly one name. */
2713 result = dns_message_nextname(request, DNS_SECTION_ZONE);
2714 if (result != ISC_R_NOMORE)
2715 FAILC(DNS_R_FORMERR,
2716 "update zone section contains multiple RRs");
2718 result = dns_zt_find(client->view->zonetable, zonename, 0, NULL,
2720 if (result != ISC_R_SUCCESS)
2721 FAILC(DNS_R_NOTAUTH, "not authoritative for update zone");
2723 switch(dns_zone_gettype(zone)) {
2724 case dns_zone_master:
2727 * We can now fail due to a bad signature as we now know
2728 * that we are the master.
2730 if (sigresult != ISC_R_SUCCESS)
2732 CHECK(send_update_event(client, zone));
2734 case dns_zone_slave:
2735 CHECK(checkupdateacl(client, dns_zone_getforwardacl(zone),
2736 "update forwarding", zonename, ISC_TRUE,
2738 CHECK(send_forward_event(client, zone));
2741 FAILC(DNS_R_NOTAUTH, "not authoritative for update zone");
2746 if (result == DNS_R_REFUSED) {
2747 INSIST(dns_zone_gettype(zone) == dns_zone_slave);
2748 inc_stats(zone, dns_nsstatscounter_updaterej);
2751 * We failed without having sent an update event to the zone.
2752 * We are still in the client task context, so we can
2753 * simply give an error response without switching tasks.
2755 respond(client, result);
2757 dns_zone_detach(&zone);
2761 * DS records are not allowed to exist without corresponding NS records,
2762 * RFC 3658, 2.2 Protocol Change,
2763 * "DS RRsets MUST NOT appear at non-delegation points or at a zone's apex".
2767 remove_orphaned_ds(dns_db_t *db, dns_dbversion_t *newver, dns_diff_t *diff) {
2768 isc_result_t result;
2769 isc_boolean_t ns_exists;
2770 dns_difftuple_t *tupple;
2771 dns_diff_t temp_diff;
2773 dns_diff_init(diff->mctx, &temp_diff);
2775 for (tupple = ISC_LIST_HEAD(diff->tuples);
2777 tupple = ISC_LIST_NEXT(tupple, link)) {
2778 if (!((tupple->op == DNS_DIFFOP_DEL &&
2779 tupple->rdata.type == dns_rdatatype_ns) ||
2780 (tupple->op == DNS_DIFFOP_ADD &&
2781 tupple->rdata.type == dns_rdatatype_ds)))
2783 CHECK(rrset_exists(db, newver, &tupple->name,
2784 dns_rdatatype_ns, 0, &ns_exists));
2786 !dns_name_equal(&tupple->name, dns_db_origin(db)))
2788 CHECK(delete_if(true_p, db, newver, &tupple->name,
2789 dns_rdatatype_ds, 0, NULL, &temp_diff));
2791 result = ISC_R_SUCCESS;
2794 for (tupple = ISC_LIST_HEAD(temp_diff.tuples);
2796 tupple = ISC_LIST_HEAD(temp_diff.tuples)) {
2797 ISC_LIST_UNLINK(temp_diff.tuples, tupple, link);
2798 dns_diff_appendminimal(diff, &tupple);
2804 * This implements the post load integrity checks for mx records.
2807 check_mx(ns_client_t *client, dns_zone_t *zone,
2808 dns_db_t *db, dns_dbversion_t *newver, dns_diff_t *diff)
2810 char tmp[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123.")];
2811 char ownerbuf[DNS_NAME_FORMATSIZE];
2812 char namebuf[DNS_NAME_FORMATSIZE];
2813 char altbuf[DNS_NAME_FORMATSIZE];
2815 dns_fixedname_t fixed;
2816 dns_name_t *foundname;
2819 isc_boolean_t ok = ISC_TRUE;
2820 isc_boolean_t isaddress;
2821 isc_result_t result;
2822 struct in6_addr addr6;
2823 struct in_addr addr;
2824 unsigned int options;
2826 dns_fixedname_init(&fixed);
2827 foundname = dns_fixedname_name(&fixed);
2828 dns_rdata_init(&rdata);
2829 options = dns_zone_getoptions(zone);
2831 for (t = ISC_LIST_HEAD(diff->tuples);
2833 t = ISC_LIST_NEXT(t, link)) {
2834 if (t->op != DNS_DIFFOP_ADD ||
2835 t->rdata.type != dns_rdatatype_mx)
2838 result = dns_rdata_tostruct(&t->rdata, &mx, NULL);
2839 RUNTIME_CHECK(result == ISC_R_SUCCESS);
2841 * Check if we will error out if we attempt to reload the
2844 dns_name_format(&mx.mx, namebuf, sizeof(namebuf));
2845 dns_name_format(&t->name, ownerbuf, sizeof(ownerbuf));
2846 isaddress = ISC_FALSE;
2847 if ((options & DNS_RDATA_CHECKMX) != 0 &&
2848 strlcpy(tmp, namebuf, sizeof(tmp)) < sizeof(tmp)) {
2849 if (tmp[strlen(tmp) - 1] == '.')
2850 tmp[strlen(tmp) - 1] = '\0';
2851 if (inet_aton(tmp, &addr) == 1 ||
2852 inet_pton(AF_INET6, tmp, &addr6) == 1)
2853 isaddress = ISC_TRUE;
2856 if (isaddress && (options & DNS_RDATA_CHECKMXFAIL) != 0) {
2857 update_log(client, zone, ISC_LOG_ERROR,
2860 dns_result_totext(DNS_R_MXISADDRESS));
2862 } else if (isaddress) {
2863 update_log(client, zone, ISC_LOG_WARNING,
2864 "%s/MX: warning: '%s': %s",
2866 dns_result_totext(DNS_R_MXISADDRESS));
2870 * Check zone integrity checks.
2872 if ((options & DNS_ZONEOPT_CHECKINTEGRITY) == 0)
2874 result = dns_db_find(db, &mx.mx, newver, dns_rdatatype_a,
2875 0, 0, NULL, foundname, NULL, NULL);
2876 if (result == ISC_R_SUCCESS)
2879 if (result == DNS_R_NXRRSET) {
2880 result = dns_db_find(db, &mx.mx, newver,
2882 0, 0, NULL, foundname,
2884 if (result == ISC_R_SUCCESS)
2888 if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN) {
2889 update_log(client, zone, ISC_LOG_ERROR,
2890 "%s/MX '%s' has no address records "
2891 "(A or AAAA)", ownerbuf, namebuf);
2893 } else if (result == DNS_R_CNAME) {
2894 update_log(client, zone, ISC_LOG_ERROR,
2895 "%s/MX '%s' is a CNAME (illegal)",
2898 } else if (result == DNS_R_DNAME) {
2899 dns_name_format(foundname, altbuf, sizeof altbuf);
2900 update_log(client, zone, ISC_LOG_ERROR,
2901 "%s/MX '%s' is below a DNAME '%s' (illegal)",
2902 ownerbuf, namebuf, altbuf);
2906 return (ok ? ISC_R_SUCCESS : DNS_R_REFUSED);
2910 rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
2911 const dns_rdata_t *rdata, isc_boolean_t *flag)
2913 dns_rdataset_t rdataset;
2914 dns_dbnode_t *node = NULL;
2915 isc_result_t result;
2917 dns_rdataset_init(&rdataset);
2918 if (rdata->type == dns_rdatatype_nsec3)
2919 CHECK(dns_db_findnsec3node(db, name, ISC_FALSE, &node));
2921 CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
2922 result = dns_db_findrdataset(db, node, ver, rdata->type, 0,
2923 (isc_stdtime_t) 0, &rdataset, NULL);
2924 if (result == ISC_R_NOTFOUND) {
2926 result = ISC_R_SUCCESS;
2930 for (result = dns_rdataset_first(&rdataset);
2931 result == ISC_R_SUCCESS;
2932 result = dns_rdataset_next(&rdataset)) {
2933 dns_rdata_t myrdata = DNS_RDATA_INIT;
2934 dns_rdataset_current(&rdataset, &myrdata);
2935 if (!dns_rdata_casecompare(&myrdata, rdata))
2938 dns_rdataset_disassociate(&rdataset);
2939 if (result == ISC_R_SUCCESS) {
2941 } else if (result == ISC_R_NOMORE) {
2943 result = ISC_R_SUCCESS;
2948 dns_db_detachnode(db, &node);
2953 get_iterations(dns_db_t *db, dns_dbversion_t *ver, dns_rdatatype_t privatetype,
2954 unsigned int *iterationsp)
2956 dns_dbnode_t *node = NULL;
2957 dns_rdata_nsec3param_t nsec3param;
2958 dns_rdataset_t rdataset;
2959 isc_result_t result;
2960 unsigned int iterations = 0;
2962 dns_rdataset_init(&rdataset);
2964 result = dns_db_getoriginnode(db, &node);
2965 if (result != ISC_R_SUCCESS)
2967 result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
2968 0, (isc_stdtime_t) 0, &rdataset, NULL);
2969 if (result == ISC_R_NOTFOUND)
2971 if (result != ISC_R_SUCCESS)
2974 for (result = dns_rdataset_first(&rdataset);
2975 result == ISC_R_SUCCESS;
2976 result = dns_rdataset_next(&rdataset)) {
2977 dns_rdata_t rdata = DNS_RDATA_INIT;
2978 dns_rdataset_current(&rdataset, &rdata);
2979 CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
2980 if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0)
2982 if (nsec3param.iterations > iterations)
2983 iterations = nsec3param.iterations;
2985 if (result != ISC_R_NOMORE)
2988 dns_rdataset_disassociate(&rdataset);
2991 if (privatetype == 0)
2994 result = dns_db_findrdataset(db, node, ver, privatetype,
2995 0, (isc_stdtime_t) 0, &rdataset, NULL);
2996 if (result == ISC_R_NOTFOUND)
2998 if (result != ISC_R_SUCCESS)
3001 for (result = dns_rdataset_first(&rdataset);
3002 result == ISC_R_SUCCESS;
3003 result = dns_rdataset_next(&rdataset)) {
3004 unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
3005 dns_rdata_t private = DNS_RDATA_INIT;
3006 dns_rdata_t rdata = DNS_RDATA_INIT;
3008 dns_rdataset_current(&rdataset, &rdata);
3009 if (!dns_nsec3param_fromprivate(&private, &rdata,
3012 CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
3013 if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0)
3015 if (nsec3param.iterations > iterations)
3016 iterations = nsec3param.iterations;
3018 if (result != ISC_R_NOMORE)
3022 *iterationsp = iterations;
3023 result = ISC_R_SUCCESS;
3027 dns_db_detachnode(db, &node);
3028 if (dns_rdataset_isassociated(&rdataset))
3029 dns_rdataset_disassociate(&rdataset);
3034 * Prevent the zone entering a inconsistent state where
3035 * NSEC only DNSKEYs are present with NSEC3 chains.
3038 check_dnssec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
3039 dns_dbversion_t *ver, dns_diff_t *diff)
3041 dns_difftuple_t *tuple;
3042 isc_boolean_t nseconly = ISC_FALSE, nsec3 = ISC_FALSE;
3043 isc_result_t result;
3044 unsigned int iterations = 0, max;
3045 dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
3047 /* Scan the tuples for an NSEC-only DNSKEY or an NSEC3PARAM */
3048 for (tuple = ISC_LIST_HEAD(diff->tuples);
3050 tuple = ISC_LIST_NEXT(tuple, link)) {
3051 if (tuple->op != DNS_DIFFOP_ADD)
3054 if (tuple->rdata.type == dns_rdatatype_dnskey) {
3056 alg = tuple->rdata.data[3];
3057 if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
3058 alg == DST_ALG_DSA || alg == DST_ALG_ECC) {
3059 nseconly = ISC_TRUE;
3062 } else if (tuple->rdata.type == dns_rdatatype_nsec3param) {
3068 /* Check existing DB for NSEC-only DNSKEY */
3070 CHECK(dns_nsec_nseconly(db, ver, &nseconly));
3072 /* Check existing DB for NSEC3 */
3074 CHECK(dns_nsec3_activex(db, ver, ISC_FALSE,
3075 privatetype, &nsec3));
3077 /* Refuse to allow NSEC3 with NSEC-only keys */
3078 if (nseconly && nsec3) {
3079 update_log(client, zone, ISC_LOG_ERROR,
3080 "NSEC only DNSKEYs and NSEC3 chains not allowed");
3081 result = DNS_R_REFUSED;
3085 /* Verify NSEC3 params */
3086 CHECK(get_iterations(db, ver, privatetype, &iterations));
3087 CHECK(dns_nsec3_maxiterations(db, ver, client->mctx, &max));
3088 if (max != 0 && iterations > max) {
3089 update_log(client, zone, ISC_LOG_ERROR,
3090 "too many NSEC3 iterations (%u) for "
3091 "weakest DNSKEY (%u)", iterations, max);
3092 result = DNS_R_REFUSED;
3101 * Delay NSEC3PARAM changes as they need to be applied to the whole zone.
3104 add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
3105 dns_dbversion_t *ver, dns_diff_t *diff)
3107 isc_result_t result = ISC_R_SUCCESS;
3108 dns_difftuple_t *tuple, *newtuple = NULL, *next;
3109 dns_rdata_t rdata = DNS_RDATA_INIT;
3110 unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE + 1];
3111 dns_diff_t temp_diff;
3114 dns_name_t *name = dns_zone_getorigin(zone);
3115 dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
3116 isc_uint32_t ttl = 0;
3117 isc_boolean_t ttl_good = ISC_FALSE;
3119 update_log(client, zone, ISC_LOG_DEBUG(3),
3120 "checking for NSEC3PARAM changes");
3122 dns_diff_init(diff->mctx, &temp_diff);
3125 * Extract NSEC3PARAM tuples from list.
3127 for (tuple = ISC_LIST_HEAD(diff->tuples);
3131 next = ISC_LIST_NEXT(tuple, link);
3133 if (tuple->rdata.type != dns_rdatatype_nsec3param ||
3134 !dns_name_equal(name, &tuple->name))
3136 ISC_LIST_UNLINK(diff->tuples, tuple, link);
3137 ISC_LIST_APPEND(temp_diff.tuples, tuple, link);
3141 * Extract TTL changes pairs, we don't need to convert these to
3144 for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
3145 tuple != NULL; tuple = next) {
3146 if (tuple->op == DNS_DIFFOP_ADD) {
3149 * Any adds here will contain the final
3150 * NSEC3PARAM RRset TTL.
3153 ttl_good = ISC_TRUE;
3156 * Walk the temp_diff list looking for the
3157 * corresponding delete.
3159 next = ISC_LIST_HEAD(temp_diff.tuples);
3160 while (next != NULL) {
3161 unsigned char *next_data = next->rdata.data;
3162 unsigned char *tuple_data = tuple->rdata.data;
3163 if (next->op == DNS_DIFFOP_DEL &&
3164 next->rdata.length == tuple->rdata.length &&
3165 !memcmp(next_data, tuple_data,
3166 next->rdata.length)) {
3167 ISC_LIST_UNLINK(temp_diff.tuples, next,
3169 ISC_LIST_APPEND(diff->tuples, next,
3173 next = ISC_LIST_NEXT(next, link);
3176 * If we have not found a pair move onto the next
3180 next = ISC_LIST_NEXT(tuple, link);
3184 * Find the next tuple to be processed before
3185 * unlinking then complete moving the pair to 'diff'.
3187 next = ISC_LIST_NEXT(tuple, link);
3188 ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
3189 ISC_LIST_APPEND(diff->tuples, tuple, link);
3191 next = ISC_LIST_NEXT(tuple, link);
3195 * Preserve any ongoing changes from a BIND 9.6.x upgrade.
3197 * Any NSEC3PARAM records with flags other than OPTOUT named
3198 * in managing and should not be touched so revert such changes
3199 * taking into account any TTL change of the NSEC3PARAM RRset.
3201 for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
3202 tuple != NULL; tuple = next) {
3203 next = ISC_LIST_NEXT(tuple, link);
3204 if ((tuple->rdata.data[1] & ~DNS_NSEC3FLAG_OPTOUT) != 0) {
3206 * If we havn't had any adds then the tuple->ttl must
3207 * be the original ttl and should be used for any
3212 ttl_good = ISC_TRUE;
3214 op = (tuple->op == DNS_DIFFOP_DEL) ?
3215 DNS_DIFFOP_ADD : DNS_DIFFOP_DEL;
3216 CHECK(dns_difftuple_create(diff->mctx, op, name,
3219 CHECK(do_one_tuple(&newtuple, db, ver, diff));
3220 ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
3221 dns_diff_appendminimal(diff, &tuple);
3226 * We now have just the actual changes to the NSEC3PARAM RRset.
3227 * Convert the adds to delayed adds and the deletions into delayed
3230 for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
3231 tuple != NULL; tuple = next) {
3233 * If we havn't had any adds then the tuple->ttl must be the
3234 * original ttl and should be used for any future changes.
3238 ttl_good = ISC_TRUE;
3240 if (tuple->op == DNS_DIFFOP_ADD) {
3242 * Look for any deletes which match this ADD ignoring
3243 * OPTOUT. We don't need to explictly remove them as
3244 * they will be removed a side effect of processing
3247 next = ISC_LIST_HEAD(temp_diff.tuples);
3248 while (next != NULL) {
3249 unsigned char *next_data = next->rdata.data;
3250 unsigned char *tuple_data = tuple->rdata.data;
3251 if (next->op != DNS_DIFFOP_DEL ||
3252 next->rdata.length != tuple->rdata.length ||
3253 next_data[0] != tuple_data[0] ||
3254 next_data[2] != tuple_data[2] ||
3255 next_data[3] != tuple_data[3] ||
3256 memcmp(next_data + 4, tuple_data + 4,
3257 tuple->rdata.length - 4)) {
3258 next = ISC_LIST_NEXT(next, link);
3261 ISC_LIST_UNLINK(temp_diff.tuples, next, link);
3262 ISC_LIST_APPEND(diff->tuples, next, link);
3263 next = ISC_LIST_HEAD(temp_diff.tuples);
3266 * See if we already have a CREATE request in progress.
3268 dns_nsec3param_toprivate(&tuple->rdata, &rdata,
3269 privatetype, buf, sizeof(buf));
3270 buf[2] |= DNS_NSEC3FLAG_CREATE;
3271 CHECK(rr_exists(db, ver, name, &rdata, &flag));
3274 CHECK(dns_difftuple_create(diff->mctx,
3278 CHECK(do_one_tuple(&newtuple, db, ver, diff));
3282 * Remove any existing CREATE request to add an
3283 * otherwise indentical chain with a reversed
3286 buf[2] ^= DNS_NSEC3FLAG_OPTOUT;
3287 CHECK(rr_exists(db, ver, name, &rdata, &flag));
3290 CHECK(dns_difftuple_create(diff->mctx,
3294 CHECK(do_one_tuple(&newtuple, db, ver, diff));
3298 * Find the next tuple to be processed and remove the
3299 * temporary add record.
3301 next = ISC_LIST_NEXT(tuple, link);
3302 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL,
3303 name, ttl, &tuple->rdata,
3305 CHECK(do_one_tuple(&newtuple, db, ver, diff));
3306 ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
3307 dns_diff_appendminimal(diff, &tuple);
3308 dns_rdata_reset(&rdata);
3310 next = ISC_LIST_NEXT(tuple, link);
3313 for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
3314 tuple != NULL; tuple = next) {
3318 next = ISC_LIST_NEXT(tuple, link);
3320 * See if we already have a REMOVE request in progress.
3322 dns_nsec3param_toprivate(&tuple->rdata, &rdata, privatetype,
3325 buf[2] |= DNS_NSEC3FLAG_REMOVE | DNS_NSEC3FLAG_NONSEC;
3327 CHECK(rr_exists(db, ver, name, &rdata, &flag));
3329 buf[2] &= ~DNS_NSEC3FLAG_NONSEC;
3330 CHECK(rr_exists(db, ver, name, &rdata, &flag));
3334 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
3335 name, 0, &rdata, &newtuple));
3336 CHECK(do_one_tuple(&newtuple, db, ver, diff));
3338 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name,
3339 ttl, &tuple->rdata, &newtuple));
3340 CHECK(do_one_tuple(&newtuple, db, ver, diff));
3341 ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
3342 dns_diff_appendminimal(diff, &tuple);
3343 dns_rdata_reset(&rdata);
3346 result = ISC_R_SUCCESS;
3348 dns_diff_clear(&temp_diff);
3353 rollback_private(dns_db_t *db, dns_rdatatype_t privatetype,
3354 dns_dbversion_t *ver, dns_diff_t *diff)
3356 dns_diff_t temp_diff;
3358 dns_difftuple_t *tuple, *newtuple = NULL, *next;
3359 dns_name_t *name = dns_db_origin(db);
3360 isc_mem_t *mctx = diff->mctx;
3361 isc_result_t result;
3363 if (privatetype == 0)
3364 return (ISC_R_SUCCESS);
3366 dns_diff_init(mctx, &temp_diff);
3369 * Extract the changes to be rolled back.
3371 for (tuple = ISC_LIST_HEAD(diff->tuples);
3372 tuple != NULL; tuple = next) {
3374 next = ISC_LIST_NEXT(tuple, link);
3376 if (tuple->rdata.type != privatetype ||
3377 !dns_name_equal(name, &tuple->name))
3381 * Allow records which indicate that a zone has been
3382 * signed with a DNSKEY to be be removed.
3384 if (tuple->op == DNS_DIFFOP_DEL &&
3385 tuple->rdata.length == 5 &&
3386 tuple->rdata.data[0] != 0 &&
3387 tuple->rdata.data[4] != 0)
3390 ISC_LIST_UNLINK(diff->tuples, tuple, link);
3391 ISC_LIST_PREPEND(temp_diff.tuples, tuple, link);
3395 * Rollback the changes.
3397 while ((tuple = ISC_LIST_HEAD(temp_diff.tuples)) != NULL) {
3398 op = (tuple->op == DNS_DIFFOP_DEL) ?
3399 DNS_DIFFOP_ADD : DNS_DIFFOP_DEL;
3400 CHECK(dns_difftuple_create(mctx, op, name, tuple->ttl,
3401 &tuple->rdata, &newtuple));
3402 CHECK(do_one_tuple(&newtuple, db, ver, &temp_diff));
3404 result = ISC_R_SUCCESS;
3407 dns_diff_clear(&temp_diff);
3412 * Add records to cause the delayed signing of the zone by added DNSKEY
3413 * to remove the RRSIG records generated by a deleted DNSKEY.
3416 add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
3417 dns_dbversion_t *ver, dns_diff_t *diff)
3419 dns_difftuple_t *tuple, *newtuple = NULL, *next;
3420 dns_rdata_dnskey_t dnskey;
3421 dns_rdata_t rdata = DNS_RDATA_INIT;
3424 isc_result_t result = ISC_R_SUCCESS;
3426 unsigned char buf[5];
3427 dns_name_t *name = dns_db_origin(db);
3428 dns_diff_t temp_diff;
3430 dns_diff_init(diff->mctx, &temp_diff);
3433 * Extract the DNSKEY tuples from the list.
3435 for (tuple = ISC_LIST_HEAD(diff->tuples);
3436 tuple != NULL; tuple = next) {
3438 next = ISC_LIST_NEXT(tuple, link);
3440 if (tuple->rdata.type != dns_rdatatype_dnskey)
3443 ISC_LIST_UNLINK(diff->tuples, tuple, link);
3444 ISC_LIST_APPEND(temp_diff.tuples, tuple, link);
3448 * Extract TTL changes pairs, we don't need signing records for these.
3450 for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
3451 tuple != NULL; tuple = next) {
3452 if (tuple->op == DNS_DIFFOP_ADD) {
3454 * Walk the temp_diff list looking for the
3455 * corresponding delete.
3457 next = ISC_LIST_HEAD(temp_diff.tuples);
3458 while (next != NULL) {
3459 unsigned char *next_data = next->rdata.data;
3460 unsigned char *tuple_data = tuple->rdata.data;
3461 if (next->op == DNS_DIFFOP_DEL &&
3462 dns_name_equal(&tuple->name, &next->name) &&
3463 next->rdata.length == tuple->rdata.length &&
3464 !memcmp(next_data, tuple_data,
3465 next->rdata.length)) {
3466 ISC_LIST_UNLINK(temp_diff.tuples, next,
3468 ISC_LIST_APPEND(diff->tuples, next,
3472 next = ISC_LIST_NEXT(next, link);
3475 * If we have not found a pair move onto the next
3479 next = ISC_LIST_NEXT(tuple, link);
3483 * Find the next tuple to be processed before
3484 * unlinking then complete moving the pair to 'diff'.
3486 next = ISC_LIST_NEXT(tuple, link);
3487 ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
3488 ISC_LIST_APPEND(diff->tuples, tuple, link);
3490 next = ISC_LIST_NEXT(tuple, link);
3494 * Process the remaining DNSKEY entries.
3496 for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
3498 tuple = ISC_LIST_HEAD(temp_diff.tuples)) {
3500 ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
3501 ISC_LIST_APPEND(diff->tuples, tuple, link);
3503 dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
3505 (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
3506 != DNS_KEYOWNER_ZONE)
3509 dns_rdata_toregion(&tuple->rdata, &r);
3511 keyid = dst_region_computeid(&r, dnskey.algorithm);
3513 buf[0] = dnskey.algorithm;
3514 buf[1] = (keyid & 0xff00) >> 8;
3515 buf[2] = (keyid & 0xff);
3516 buf[3] = (tuple->op == DNS_DIFFOP_ADD) ? 0 : 1;
3519 rdata.length = sizeof(buf);
3520 rdata.type = privatetype;
3521 rdata.rdclass = tuple->rdata.rdclass;
3523 CHECK(rr_exists(db, ver, name, &rdata, &flag));
3526 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
3527 name, 0, &rdata, &newtuple));
3528 CHECK(do_one_tuple(&newtuple, db, ver, diff));
3529 INSIST(newtuple == NULL);
3531 * Remove any record which says this operation has already
3535 CHECK(rr_exists(db, ver, name, &rdata, &flag));
3537 CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL,
3538 name, 0, &rdata, &newtuple));
3539 CHECK(do_one_tuple(&newtuple, db, ver, diff));
3540 INSIST(newtuple == NULL);
3545 dns_diff_clear(&temp_diff);
3549 static isc_boolean_t
3550 isdnssec(dns_db_t *db, dns_dbversion_t *ver, dns_rdatatype_t privatetype) {
3551 isc_result_t result;
3552 isc_boolean_t build_nsec, build_nsec3;
3554 if (dns_db_issecure(db))
3557 result = dns_private_chains(db, ver, privatetype,
3558 &build_nsec, &build_nsec3);
3559 RUNTIME_CHECK(result == ISC_R_SUCCESS);
3560 return (build_nsec || build_nsec3);
3564 update_action(isc_task_t *task, isc_event_t *event) {
3565 update_event_t *uev = (update_event_t *) event;
3566 dns_zone_t *zone = uev->zone;
3567 ns_client_t *client = (ns_client_t *)event->ev_arg;
3569 isc_result_t result;
3570 dns_db_t *db = NULL;
3571 dns_dbversion_t *oldver = NULL;
3572 dns_dbversion_t *ver = NULL;
3573 dns_diff_t diff; /* Pending updates. */
3574 dns_diff_t temp; /* Pending RR existence assertions. */
3575 isc_boolean_t soa_serial_changed = ISC_FALSE;
3576 isc_mem_t *mctx = client->mctx;
3577 dns_rdatatype_t covers;
3578 dns_message_t *request = client->message;
3579 dns_rdataclass_t zoneclass;
3580 dns_name_t *zonename;
3581 dns_ssutable_t *ssutable = NULL;
3582 dns_fixedname_t tmpnamefixed;
3583 dns_name_t *tmpname = NULL;
3584 unsigned int options;
3585 dns_difftuple_t *tuple;
3586 dns_rdata_dnskey_t dnskey;
3587 isc_boolean_t had_dnskey;
3588 dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
3590 INSIST(event->ev_type == DNS_EVENT_UPDATE);
3592 dns_diff_init(mctx, &diff);
3593 dns_diff_init(mctx, &temp);
3595 CHECK(dns_zone_getdb(zone, &db));
3596 zonename = dns_db_origin(db);
3597 zoneclass = dns_db_class(db);
3598 dns_zone_getssutable(zone, &ssutable);
3601 * Update message processing can leak record existance information
3602 * so check that we are allowed to query this zone. Additionally
3603 * if we would refuse all updates for this zone we bail out here.
3605 CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone), zonename,
3606 dns_zone_getupdateacl(zone), ssutable));
3609 * Get old and new versions now that queryacl has been checked.
3611 dns_db_currentversion(db, &oldver);
3612 CHECK(dns_db_newversion(db, &ver));
3615 * Check prerequisites.
3618 for (result = dns_message_firstname(request, DNS_SECTION_PREREQUISITE);
3619 result == ISC_R_SUCCESS;
3620 result = dns_message_nextname(request, DNS_SECTION_PREREQUISITE))
3622 dns_name_t *name = NULL;
3623 dns_rdata_t rdata = DNS_RDATA_INIT;
3625 dns_rdataclass_t update_class;
3628 get_current_rr(request, DNS_SECTION_PREREQUISITE, zoneclass,
3629 &name, &rdata, &covers, &ttl, &update_class);
3632 PREREQFAILC(DNS_R_FORMERR,
3633 "prerequisite TTL is not zero");
3635 if (! dns_name_issubdomain(name, zonename))
3636 PREREQFAILN(DNS_R_NOTZONE, name,
3637 "prerequisite name is out of zone");
3639 if (update_class == dns_rdataclass_any) {
3640 if (rdata.length != 0)
3641 PREREQFAILC(DNS_R_FORMERR,
3642 "class ANY prerequisite "
3643 "RDATA is not empty");
3644 if (rdata.type == dns_rdatatype_any) {
3645 CHECK(name_exists(db, ver, name, &flag));
3647 PREREQFAILN(DNS_R_NXDOMAIN, name,
3653 CHECK(rrset_exists(db, ver, name,
3654 rdata.type, covers, &flag));
3656 /* RRset does not exist. */
3657 PREREQFAILNT(DNS_R_NXRRSET, name, rdata.type,
3658 "'rrset exists (value independent)' "
3659 "prerequisite not satisfied");
3662 } else if (update_class == dns_rdataclass_none) {
3663 if (rdata.length != 0)
3664 PREREQFAILC(DNS_R_FORMERR,
3665 "class NONE prerequisite "
3666 "RDATA is not empty");
3667 if (rdata.type == dns_rdatatype_any) {
3668 CHECK(name_exists(db, ver, name, &flag));
3670 PREREQFAILN(DNS_R_YXDOMAIN, name,
3671 "'name not in use' "
3676 CHECK(rrset_exists(db, ver, name,
3677 rdata.type, covers, &flag));
3680 PREREQFAILNT(DNS_R_YXRRSET, name,
3682 "'rrset does not exist' "
3687 } else if (update_class == zoneclass) {
3688 /* "temp<rr.name, rr.type> += rr;" */
3689 result = temp_append(&temp, name, &rdata);
3690 if (result != ISC_R_SUCCESS) {
3691 UNEXPECTED_ERROR(__FILE__, __LINE__,
3692 "temp entry creation failed: %s",
3693 dns_result_totext(result));
3694 FAIL(ISC_R_UNEXPECTED);
3697 PREREQFAILC(DNS_R_FORMERR, "malformed prerequisite");
3700 if (result != ISC_R_NOMORE)
3704 * Perform the final check of the "rrset exists (value dependent)"
3707 if (ISC_LIST_HEAD(temp.tuples) != NULL) {
3708 dns_rdatatype_t type;
3711 * Sort the prerequisite records by owner name,
3714 result = dns_diff_sort(&temp, temp_order);
3715 if (result != ISC_R_SUCCESS)
3716 FAILC(result, "'RRset exists (value dependent)' "
3717 "prerequisite not satisfied");
3719 dns_fixedname_init(&tmpnamefixed);
3720 tmpname = dns_fixedname_name(&tmpnamefixed);
3721 result = temp_check(mctx, &temp, db, ver, tmpname, &type);
3722 if (result != ISC_R_SUCCESS)
3723 FAILNT(result, tmpname, type,
3724 "'RRset exists (value dependent)' "
3725 "prerequisite not satisfied");
3728 update_log(client, zone, LOGLEVEL_DEBUG,
3729 "prerequisites are OK");
3732 * Check Requestor's Permissions. It seems a bit silly to do this
3733 * only after prerequisite testing, but that is what RFC2136 says.
3735 if (ssutable == NULL)
3736 CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
3737 "update", zonename, ISC_FALSE, ISC_FALSE));
3738 else if (client->signer == NULL && !TCPCLIENT(client))
3739 CHECK(checkupdateacl(client, NULL, "update", zonename,
3740 ISC_FALSE, ISC_TRUE));
3742 if (dns_zone_getupdatedisabled(zone))
3743 FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled "
3744 "because the zone is frozen. Use "
3745 "'rndc thaw' to re-enable updates.");
3748 * Perform the Update Section Prescan.
3751 for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
3752 result == ISC_R_SUCCESS;
3753 result = dns_message_nextname(request, DNS_SECTION_UPDATE))
3755 dns_name_t *name = NULL;
3756 dns_rdata_t rdata = DNS_RDATA_INIT;
3758 dns_rdataclass_t update_class;
3759 get_current_rr(request, DNS_SECTION_UPDATE, zoneclass,
3760 &name, &rdata, &covers, &ttl, &update_class);
3762 if (! dns_name_issubdomain(name, zonename))
3763 FAILC(DNS_R_NOTZONE,
3764 "update RR is outside zone");
3765 if (update_class == zoneclass) {
3767 * Check for meta-RRs. The RFC2136 pseudocode says
3768 * check for ANY|AXFR|MAILA|MAILB, but the text adds
3769 * "or any other QUERY metatype"
3771 if (dns_rdatatype_ismeta(rdata.type)) {
3772 FAILC(DNS_R_FORMERR,
3773 "meta-RR in update");
3775 result = dns_zone_checknames(zone, name, &rdata);
3776 if (result != ISC_R_SUCCESS)
3777 FAIL(DNS_R_REFUSED);
3778 } else if (update_class == dns_rdataclass_any) {
3779 if (ttl != 0 || rdata.length != 0 ||
3780 (dns_rdatatype_ismeta(rdata.type) &&
3781 rdata.type != dns_rdatatype_any))
3782 FAILC(DNS_R_FORMERR,
3783 "meta-RR in update");
3784 } else if (update_class == dns_rdataclass_none) {
3786 dns_rdatatype_ismeta(rdata.type))
3787 FAILC(DNS_R_FORMERR,
3788 "meta-RR in update");
3790 update_log(client, zone, ISC_LOG_WARNING,
3791 "update RR has incorrect class %d",
3793 FAIL(DNS_R_FORMERR);
3797 * draft-ietf-dnsind-simple-secure-update-01 says
3798 * "Unlike traditional dynamic update, the client
3799 * is forbidden from updating NSEC records."
3801 if (rdata.type == dns_rdatatype_nsec3) {
3802 FAILC(DNS_R_REFUSED,
3803 "explicit NSEC3 updates are not allowed "
3805 } else if (rdata.type == dns_rdatatype_nsec) {
3806 FAILC(DNS_R_REFUSED,
3807 "explicit NSEC updates are not allowed "
3809 } else if (rdata.type == dns_rdatatype_rrsig &&
3810 !dns_name_equal(name, zonename)) {
3811 FAILC(DNS_R_REFUSED,
3812 "explicit RRSIG updates are currently "
3813 "not supported in secure zones except "
3817 if (ssutable != NULL) {
3818 isc_netaddr_t *tcpaddr, netaddr;
3819 dst_key_t *tsigkey = NULL;
3821 * If this is a TCP connection then pass the
3822 * address of the client through for tcp-self
3823 * and 6to4-self otherwise pass NULL. This
3824 * provides weak address based authentication.
3826 if (TCPCLIENT(client)) {
3827 isc_netaddr_fromsockaddr(&netaddr,
3833 if (client->message->tsigkey != NULL)
3834 tsigkey = client->message->tsigkey->key;
3836 if (rdata.type != dns_rdatatype_any) {
3837 if (!dns_ssutable_checkrules(ssutable,
3842 FAILC(DNS_R_REFUSED,
3843 "rejected by secure update");
3845 if (!ssu_checkall(db, ver, name, ssutable,
3846 client->signer, tcpaddr,
3848 FAILC(DNS_R_REFUSED,
3849 "rejected by secure update");
3853 if (result != ISC_R_NOMORE)
3856 update_log(client, zone, LOGLEVEL_DEBUG,
3857 "update section prescan OK");
3860 * Process the Update Section.
3863 options = dns_zone_getoptions(zone);
3864 for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
3865 result == ISC_R_SUCCESS;
3866 result = dns_message_nextname(request, DNS_SECTION_UPDATE))
3868 dns_name_t *name = NULL;
3869 dns_rdata_t rdata = DNS_RDATA_INIT;
3871 dns_rdataclass_t update_class;
3874 get_current_rr(request, DNS_SECTION_UPDATE, zoneclass,
3875 &name, &rdata, &covers, &ttl, &update_class);
3877 if (update_class == zoneclass) {
3880 * RFC1123 doesn't allow MF and MD in master zones. */
3881 if (rdata.type == dns_rdatatype_md ||
3882 rdata.type == dns_rdatatype_mf) {
3883 char typebuf[DNS_RDATATYPE_FORMATSIZE];
3885 dns_rdatatype_format(rdata.type, typebuf,
3887 update_log(client, zone, LOGLEVEL_PROTOCOL,
3888 "attempt to add %s ignored",
3892 if ((rdata.type == dns_rdatatype_ns ||
3893 rdata.type == dns_rdatatype_dname) &&
3894 dns_name_iswildcard(name)) {
3895 char typebuf[DNS_RDATATYPE_FORMATSIZE];
3897 dns_rdatatype_format(rdata.type, typebuf,
3899 update_log(client, zone,
3901 "attempt to add wildcard %s record "
3902 "ignored", typebuf);
3905 if (rdata.type == dns_rdatatype_cname) {
3906 CHECK(cname_incompatible_rrset_exists(db, ver,
3910 update_log(client, zone,
3912 "attempt to add CNAME "
3913 "alongside non-CNAME "
3918 CHECK(rrset_exists(db, ver, name,
3919 dns_rdatatype_cname, 0,
3922 ! dns_rdatatype_isdnssec(rdata.type))
3924 update_log(client, zone,
3926 "attempt to add non-CNAME "
3927 "alongside CNAME ignored");
3931 if (rdata.type == dns_rdatatype_soa) {
3933 CHECK(rrset_exists(db, ver, name,
3934 dns_rdatatype_soa, 0,
3937 update_log(client, zone,
3939 "attempt to create 2nd "
3943 CHECK(check_soa_increment(db, ver, &rdata,
3946 update_log(client, zone,
3948 "SOA update failed to "
3949 "increment serial, "
3953 soa_serial_changed = ISC_TRUE;
3956 if (rdata.type == privatetype) {
3957 update_log(client, zone, LOGLEVEL_PROTOCOL,
3958 "attempt to add a private type "
3959 "(%u) record rejected internal "
3960 "use only", privatetype);
3964 if (rdata.type == dns_rdatatype_nsec3param) {
3966 * Ignore attempts to add NSEC3PARAM records
3967 * with any flags other than OPTOUT.
3969 if ((rdata.data[1] & ~DNS_NSEC3FLAG_OPTOUT) != 0) {
3970 update_log(client, zone,
3972 "attempt to add NSEC3PARAM "
3973 "record with non OPTOUT "
3979 if ((options & DNS_ZONEOPT_CHECKWILDCARD) != 0 &&
3980 dns_name_internalwildcard(name)) {
3981 char namestr[DNS_NAME_FORMATSIZE];
3982 dns_name_format(name, namestr,
3984 update_log(client, zone, LOGLEVEL_PROTOCOL,
3985 "warning: ownername '%s' contains "
3986 "a non-terminal wildcard", namestr);
3989 if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) {
3990 char namestr[DNS_NAME_FORMATSIZE];
3991 char typestr[DNS_RDATATYPE_FORMATSIZE];
3992 dns_name_format(name, namestr,
3994 dns_rdatatype_format(rdata.type, typestr,
3996 update_log(client, zone, LOGLEVEL_PROTOCOL,
3997 "adding an RR at '%s' %s",
4001 /* Prepare the affected RRset for the addition. */
4003 add_rr_prepare_ctx_t ctx;
4008 ctx.update_rr = &rdata;
4009 ctx.update_rr_ttl = ttl;
4010 ctx.ignore_add = ISC_FALSE;
4011 dns_diff_init(mctx, &ctx.del_diff);
4012 dns_diff_init(mctx, &ctx.add_diff);
4013 CHECK(foreach_rr(db, ver, name, rdata.type,
4014 covers, add_rr_prepare_action,
4017 if (ctx.ignore_add) {
4018 dns_diff_clear(&ctx.del_diff);
4019 dns_diff_clear(&ctx.add_diff);
4021 CHECK(do_diff(&ctx.del_diff, db, ver,
4023 CHECK(do_diff(&ctx.add_diff, db, ver,
4025 CHECK(update_one_rr(db, ver, &diff,
4027 name, ttl, &rdata));
4030 } else if (update_class == dns_rdataclass_any) {
4031 if (rdata.type == dns_rdatatype_any) {
4032 if (isc_log_wouldlog(ns_g_lctx,
4035 char namestr[DNS_NAME_FORMATSIZE];
4036 dns_name_format(name, namestr,
4038 update_log(client, zone,
4040 "delete all rrsets from "
4041 "name '%s'", namestr);
4043 if (dns_name_equal(name, zonename)) {
4044 CHECK(delete_if(type_not_soa_nor_ns_p,
4046 dns_rdatatype_any, 0,
4049 CHECK(delete_if(type_not_dnssec,
4051 dns_rdatatype_any, 0,
4054 } else if (dns_name_equal(name, zonename) &&
4055 (rdata.type == dns_rdatatype_soa ||
4056 rdata.type == dns_rdatatype_ns)) {
4057 update_log(client, zone, LOGLEVEL_PROTOCOL,
4058 "attempt to delete all SOA "
4059 "or NS records ignored");
4062 if (isc_log_wouldlog(ns_g_lctx,
4065 char namestr[DNS_NAME_FORMATSIZE];
4066 char typestr[DNS_RDATATYPE_FORMATSIZE];
4067 dns_name_format(name, namestr,
4069 dns_rdatatype_format(rdata.type,
4072 update_log(client, zone,
4074 "deleting rrset at '%s' %s",
4077 CHECK(delete_if(true_p, db, ver, name,
4078 rdata.type, covers, &rdata,
4081 } else if (update_class == dns_rdataclass_none) {
4082 char namestr[DNS_NAME_FORMATSIZE];
4083 char typestr[DNS_RDATATYPE_FORMATSIZE];
4086 * The (name == zonename) condition appears in
4087 * RFC2136 3.4.2.4 but is missing from the pseudocode.
4089 if (dns_name_equal(name, zonename)) {
4090 if (rdata.type == dns_rdatatype_soa) {
4091 update_log(client, zone,
4093 "attempt to delete SOA "
4097 if (rdata.type == dns_rdatatype_ns) {
4099 CHECK(rr_count(db, ver, name,
4103 update_log(client, zone,
4112 dns_name_format(name, namestr, sizeof(namestr));
4113 dns_rdatatype_format(rdata.type, typestr,
4115 update_log(client, zone, LOGLEVEL_PROTOCOL,
4116 "deleting an RR at %s %s", namestr, typestr);
4117 CHECK(delete_if(rr_equal_p, db, ver, name, rdata.type,
4118 covers, &rdata, &diff));
4121 if (result != ISC_R_NOMORE)
4125 * Check that any changes to DNSKEY/NSEC3PARAM records make sense.
4126 * If they don't then back out all changes to DNSKEY/NSEC3PARAM
4129 if (! ISC_LIST_EMPTY(diff.tuples))
4130 CHECK(check_dnssec(client, zone, db, ver, &diff));
4132 if (! ISC_LIST_EMPTY(diff.tuples)) {
4133 unsigned int errors = 0;
4134 CHECK(dns_zone_nscheck(zone, db, ver, &errors));
4136 update_log(client, zone, LOGLEVEL_PROTOCOL,
4137 "update rejected: post update name server "
4138 "sanity check failed");
4139 result = DNS_R_REFUSED;
4145 * If any changes were made, increment the SOA serial number,
4146 * update RRSIGs and NSECs (if zone is secure), and write the update
4149 if (! ISC_LIST_EMPTY(diff.tuples)) {
4151 dns_journal_t *journal;
4152 isc_boolean_t has_dnskey;
4155 * Increment the SOA serial, but only if it was not
4156 * changed as a result of an update operation.
4158 if (! soa_serial_changed) {
4159 CHECK(increment_soa_serial(db, ver, &diff, mctx));
4162 CHECK(check_mx(client, zone, db, ver, &diff));
4164 CHECK(remove_orphaned_ds(db, ver, &diff));
4166 CHECK(rrset_exists(db, ver, zonename, dns_rdatatype_dnskey,
4169 #define ALLOW_SECURE_TO_INSECURE(zone) \
4170 ((dns_zone_getoptions(zone) & DNS_ZONEOPT_SECURETOINSECURE) != 0)
4172 if (!ALLOW_SECURE_TO_INSECURE(zone)) {
4173 CHECK(rrset_exists(db, oldver, zonename,
4174 dns_rdatatype_dnskey, 0,
4176 if (had_dnskey && !has_dnskey) {
4177 update_log(client, zone, LOGLEVEL_PROTOCOL,
4178 "update rejected: all DNSKEY "
4179 "records removed and "
4180 "'dnssec-secure-to-insecure' "
4182 result = DNS_R_REFUSED;
4187 CHECK(rollback_private(db, privatetype, ver, &diff));
4189 CHECK(add_signing_records(db, privatetype, ver, &diff));
4191 CHECK(add_nsec3param_records(client, zone, db, ver, &diff));
4195 * We are transitioning from secure to insecure.
4196 * Cause all NSEC3 chains to be deleted. When the
4197 * the last signature for the DNSKEY records are
4198 * remove any NSEC chain present will also be removed.
4200 CHECK(dns_nsec3param_deletechains(db, ver, zone,
4202 } else if (has_dnskey && isdnssec(db, ver, privatetype)) {
4203 isc_uint32_t interval;
4204 interval = dns_zone_getsigvalidityinterval(zone);
4205 result = update_signatures(client, zone, db, oldver,
4206 ver, &diff, interval);
4207 if (result != ISC_R_SUCCESS) {
4208 update_log(client, zone,
4210 "RRSIG/NSEC/NSEC3 update failed: %s",
4211 isc_result_totext(result));
4216 journalfile = dns_zone_getjournal(zone);
4217 if (journalfile != NULL) {
4218 update_log(client, zone, LOGLEVEL_DEBUG,
4219 "writing journal %s", journalfile);
4222 result = dns_journal_open(mctx, journalfile,
4223 ISC_TRUE, &journal);
4224 if (result != ISC_R_SUCCESS)
4225 FAILS(result, "journal open failed");
4227 result = dns_journal_write_transaction(journal, &diff);
4228 if (result != ISC_R_SUCCESS) {
4229 dns_journal_destroy(&journal);
4230 FAILS(result, "journal write failed");
4233 dns_journal_destroy(&journal);
4237 * XXXRTH Just a note that this committing code will have
4238 * to change to handle databases that need two-phase
4239 * commit, but this isn't a priority.
4241 update_log(client, zone, LOGLEVEL_DEBUG,
4242 "committing update transaction");
4244 dns_db_closeversion(db, &ver, ISC_TRUE);
4247 * Mark the zone as dirty so that it will be written to disk.
4249 dns_zone_markdirty(zone);
4252 * Notify slaves of the change we just made.
4254 dns_zone_notify(zone);
4257 * Cause the zone to be signed with the key that we
4258 * have just added or have the corresponding signatures
4261 * Note: we are already committed to this course of action.
4263 for (tuple = ISC_LIST_HEAD(diff.tuples);
4265 tuple = ISC_LIST_NEXT(tuple, link)) {
4267 dns_secalg_t algorithm;
4270 if (tuple->rdata.type != dns_rdatatype_dnskey)
4273 dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
4275 (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
4276 != DNS_KEYOWNER_ZONE)
4279 dns_rdata_toregion(&tuple->rdata, &r);
4280 algorithm = dnskey.algorithm;
4281 keyid = dst_region_computeid(&r, algorithm);
4283 result = dns_zone_signwithkey(zone, algorithm, keyid,
4284 ISC_TF(tuple->op == DNS_DIFFOP_DEL));
4285 if (result != ISC_R_SUCCESS) {
4286 update_log(client, zone, ISC_LOG_ERROR,
4287 "dns_zone_signwithkey failed: %s",
4288 dns_result_totext(result));
4293 * Cause the zone to add/delete NSEC3 chains for the
4294 * deferred NSEC3PARAM changes.
4296 * Note: we are already committed to this course of action.
4298 for (tuple = ISC_LIST_HEAD(diff.tuples);
4300 tuple = ISC_LIST_NEXT(tuple, link)) {
4301 unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
4302 dns_rdata_t rdata = DNS_RDATA_INIT;
4303 dns_rdata_nsec3param_t nsec3param;
4305 if (tuple->rdata.type != privatetype ||
4306 tuple->op != DNS_DIFFOP_ADD)
4309 if (!dns_nsec3param_fromprivate(&tuple->rdata, &rdata,
4312 dns_rdata_tostruct(&rdata, &nsec3param, NULL);
4313 if (nsec3param.flags == 0)
4316 result = dns_zone_addnsec3chain(zone, &nsec3param);
4317 if (result != ISC_R_SUCCESS) {
4318 update_log(client, zone, ISC_LOG_ERROR,
4319 "dns_zone_addnsec3chain failed: %s",
4320 dns_result_totext(result));
4324 update_log(client, zone, LOGLEVEL_DEBUG, "redundant request");
4325 dns_db_closeversion(db, &ver, ISC_TRUE);
4327 result = ISC_R_SUCCESS;
4332 * The reason for failure should have been logged at this point.
4335 update_log(client, zone, LOGLEVEL_DEBUG,
4337 dns_db_closeversion(db, &ver, ISC_FALSE);
4341 dns_diff_clear(&temp);
4342 dns_diff_clear(&diff);
4345 dns_db_closeversion(db, &oldver, ISC_FALSE);
4350 if (ssutable != NULL)
4351 dns_ssutable_detach(&ssutable);
4353 isc_task_detach(&task);
4354 uev->result = result;
4356 INSIST(uev->zone == zone); /* we use this later */
4357 uev->ev_type = DNS_EVENT_UPDATEDONE;
4358 uev->ev_action = updatedone_action;
4359 isc_task_send(client->task, &event);
4360 INSIST(event == NULL);
4364 updatedone_action(isc_task_t *task, isc_event_t *event) {
4365 update_event_t *uev = (update_event_t *) event;
4366 ns_client_t *client = (ns_client_t *) event->ev_arg;
4370 INSIST(event->ev_type == DNS_EVENT_UPDATEDONE);
4371 INSIST(task == client->task);
4373 INSIST(client->nupdates > 0);
4374 switch (uev->result) {
4376 inc_stats(uev->zone, dns_nsstatscounter_updatedone);
4379 inc_stats(uev->zone, dns_nsstatscounter_updaterej);
4382 inc_stats(uev->zone, dns_nsstatscounter_updatefail);
4385 if (uev->zone != NULL)
4386 dns_zone_detach(&uev->zone);
4388 respond(client, uev->result);
4389 isc_event_free(&event);
4390 ns_client_detach(&client);
4394 * Update forwarding support.
4398 forward_fail(isc_task_t *task, isc_event_t *event) {
4399 ns_client_t *client = (ns_client_t *)event->ev_arg;
4403 INSIST(client->nupdates > 0);
4405 respond(client, DNS_R_SERVFAIL);
4406 isc_event_free(&event);
4407 ns_client_detach(&client);
4412 forward_callback(void *arg, isc_result_t result, dns_message_t *answer) {
4413 update_event_t *uev = arg;
4414 ns_client_t *client = uev->ev_arg;
4415 dns_zone_t *zone = uev->zone;
4417 if (result != ISC_R_SUCCESS) {
4418 INSIST(answer == NULL);
4419 uev->ev_type = DNS_EVENT_UPDATEDONE;
4420 uev->ev_action = forward_fail;
4421 inc_stats(zone, dns_nsstatscounter_updatefwdfail);
4423 uev->ev_type = DNS_EVENT_UPDATEDONE;
4424 uev->ev_action = forward_done;
4425 uev->answer = answer;
4426 inc_stats(zone, dns_nsstatscounter_updaterespfwd);
4428 isc_task_send(client->task, ISC_EVENT_PTR(&uev));
4429 dns_zone_detach(&zone);
4433 forward_done(isc_task_t *task, isc_event_t *event) {
4434 update_event_t *uev = (update_event_t *) event;
4435 ns_client_t *client = (ns_client_t *)event->ev_arg;
4439 INSIST(client->nupdates > 0);
4441 ns_client_sendraw(client, uev->answer);
4442 dns_message_destroy(&uev->answer);
4443 isc_event_free(&event);
4444 ns_client_detach(&client);
4448 forward_action(isc_task_t *task, isc_event_t *event) {
4449 update_event_t *uev = (update_event_t *) event;
4450 dns_zone_t *zone = uev->zone;
4451 ns_client_t *client = (ns_client_t *)event->ev_arg;
4452 isc_result_t result;
4454 result = dns_zone_forwardupdate(zone, client->message,
4455 forward_callback, event);
4456 if (result != ISC_R_SUCCESS) {
4457 uev->ev_type = DNS_EVENT_UPDATEDONE;
4458 uev->ev_action = forward_fail;
4459 isc_task_send(client->task, &event);
4460 inc_stats(zone, dns_nsstatscounter_updatefwdfail);
4461 dns_zone_detach(&zone);
4463 inc_stats(zone, dns_nsstatscounter_updatereqfwd);
4464 isc_task_detach(&task);
4468 send_forward_event(ns_client_t *client, dns_zone_t *zone) {
4469 isc_result_t result = ISC_R_SUCCESS;
4470 update_event_t *event = NULL;
4471 isc_task_t *zonetask = NULL;
4472 ns_client_t *evclient;
4475 * This may take some time so replace this client.
4477 if (!client->mortal && (client->attributes & NS_CLIENTATTR_TCP) == 0)
4478 CHECK(ns_client_replace(client));
4480 event = (update_event_t *)
4481 isc_event_allocate(client->mctx, client, DNS_EVENT_UPDATE,
4482 forward_action, NULL, sizeof(*event));
4484 FAIL(ISC_R_NOMEMORY);
4486 event->result = ISC_R_SUCCESS;
4489 ns_client_attach(client, &evclient);
4490 INSIST(client->nupdates == 0);
4492 event->ev_arg = evclient;
4494 dns_zone_gettask(zone, &zonetask);
4495 isc_task_send(zonetask, ISC_EVENT_PTR(&event));
4499 isc_event_free(ISC_EVENT_PTR(&event));